Despite the fact that the authors of the Pinch Trojan were “pinched” by law enforcement in 2007, the Pinch Trojan continues to be a current threat both because the source code is available (so anyone can modify it and release a variant) but also because old versions of Pinch continue to be effectively used. In 2007, F-Secure analyzed data collected from a Pinch command and control server using a tool called PinchParserPro 220.127.116.11. PinchParserPro allows the attackers to parse, search and export the data stolen by the Pinch Trojan. Three years later Pinch is still in action, often bundled with an assortment of other malware. (Here is a paper that has a detailed technical analysis of Pinch variants.)
Data recovered from a recently active Pinch command and control server, moretds.org (formerly moretds.in) indicates that 26,308 IP addresses uploaded data to the server. The top three countries affected were the US, Germany and Turkey but there was a considerable geographic distribution with a total of 150 countries affected.
In order to read the data PinchParserPro 18.104.22.168 had to be used, which is an older than version than what F-Secure used (PinchParserPro 22.214.171.124) in 2007. It is interesting that such an old version is still being successfully deployed.
While investigating the recovered data, credentials associated with government accounts were discovered. One of the victims of the malware was the Ministry of Foreign Affairs of the People’s Republic of China. While there has been much attention on malware attacks emanating from China, China is also a victim of malware attacks. In fact, a recent cyber-crime report by Symantec revealed that Chinese users were the most victimized by online crime.
The governmental accounts recovered from the control server include:
- Ministry of Foreign Affairs, China
- Industrial and Commercial Administration Bureau in Taiyuan, China
- Ministry of Health, Turkey
- Izmir Tax Services Department, Turkey
- Istanbul Security Directorate, Turkey
- Aegean Obstetrics and Gynecology Training and Research Hospital, Turkey
- Ministry of Environment, Brazil
- Regional Labor Court 6th Region, Brazil
- National Electoral Commision, Poland
- Ministry of Agriculture, Forestry and Water Management, Macedonia
- Drug Enforcement Administration, Office of Diversion Control, E-Commerce program, USA
- City of Oklahoma City, USA
- Taipei Sewage Systems Office of Health, Taiwan
- Ministry of Interior, Ukraine
- Dirección Nacional de los Registros Nacionales, Argentina
While there is often an emphasis on the latest malware threats, old malware persists and continues to be very effective. In addition, attackers are able to compromise government systems using these outdated tools. And, even if the attackers did not intend to compromise these system — and I don’t think they did — attackers are, in general, beginning to realize that not all compromises are the same and that there may be additional value that can be extracted from particular compromised machines.