Video Screencast Help
Symantec Intelligence

Valentine Heart Healer or Password Stealer

Created: 11 Feb 2010 • Updated: 12 Feb 2010
MarissaVicario's picture
0 0 Votes
Login to vote

Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services

Animated heart shaped cards are common during the Valentine season to heal the restless hearts and it’s not a hidden fact that malware can exploit this holiday causing pail to both users and security vendors alikes. Here we have an interesting sample to look up whose evident startup code is Delphi compiled.

startcode.gif

During sample analysis an interesting component found was “ScriptCryptor”  which makes analysis more curious. A search based on the above keyword results in a tool which is quite handy for people aware of minimal scripting (Java or VBs) knowledge. Additionally, more authors can add their arbitrary resource icon and the version information to the executable file.

IconVersion.gif

Despite the fact that the tool was designed to build legitimate applications, it is misused by malware authors to construct the executables under social engineering themes as shown below.

mail.gif

The main feature of this tool is the original script that is used to generate the Delphi executable. It is internally encrypted using a blowfish algorithm. Most of the AV scanners that scan this file think that the file is a non encrypted Delphi executable and trigger their signatures or generic heuristics written for the Delphi executable and declare the file as clean. This is a password stealer which then steals stored passwords from web-browsers. At the time of analysis only five scanners out of 41 were detecting this sample based their generic detection on virustotal.

virus_total.gif

Looking at the awareness created by AV blogs and other resources this Valentine's Day can be a heartbreaker for many malicious hearts as Symantec Hosted Services is staging interceptions to protect our customers.