PWS, Common, Ugly but Effective
PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. But nobody takes really time to explain what is around, what it is capable of and how this little industry works.
However, they are still a common threat actively used according to our incidents logs.
A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.
Sadly nobody cares about them anymore when they fire an antivirus inside a company.
To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.
Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field.
Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than a decade. During this time, Paul has covered operations as well as consulting within various industries. He possesses a wide range of skills and experiences that enable him to perform multiple roles from offensive security audit to security incident handling. From 2008 to 2014, prior to join Excellium Services, Paul was Senior Security Architect in the Managed Network Security Services department of the European Commission. In this previous position, Paul was responsible for leading technical aspects of security projects. He also wrote a few articles in the french security magazine MISC about DDos and Botnets. Now Paul works at Excellium Services as security consultant. He is in charge of the coordination of Excellium Services CSIRT (CERT-XLM). Within this position, Paul is involved in intrusion responses and provides security awareness to Excellium Services customers. Paul is often speaker at local event and was speaker at Hack.lu (2014,2015) and Botconf (2014, 2015) security conferences.