Massive keylogger cache posted to Pastebin.comby Steve Ragan - Jun 14 2010, 12:00
Details for thousands of accounts, from Facebook to PayPal, have surfaced over the weekend on Pastebin.com. The details, which come from keylogging software, appear to have been dumped automatically to the site based on observations from BitDefender, who tipped The Tech Herald off to their existence on Friday.
Along with usernames and passwords, which are expected, the user’s browser details, computer name, and IP address are included with several reports. Keyloggers use simple and quick methods to transfer their information to the person controlling them. Usually the harvested data is shuffled to a remote FTP server or E-mail address.
However, BitDefender noted, “…this dramatically increases the possibility for the law [enforcement] to find out who the remote attacker is and to ultimately get him. Furthermore, the e-mail approach is extremely “noisy”: it is easy for a system administrator to spot the traffic, not to mention that antimalware utilities usually let users know when an E-mail leaves the system.”
To address that shortcoming, criminals, working hand-in-hand with their development counterparts, have developed keyloggers and data harvesting systems that will post their reports to the Web. This keeps things on the low, and Patsebin.com is just one of the many places where such logs can be sent. Once online, they can remain relatively hidden and retrieved at will. The problem is that if the criminals can locate them, so could anyone else.
[This is an example of a keylogger data file on Pastebin.]
Analyzing the source code for some of the keyloggers out there, BitDefender discovered several modules available that would allow posting harvested data to Patsebin.com, as well as other public places. BitDefender’s blog post is here.
After BitDefender alerted us to the cache and their subsequent blog post related to their discovery, we did some digging to see what remained. It is important to note that most of the keylogger posts have been reported and removed. Many of the entries have been scrubbed from Google’s cache and the site itself. However, some were available via cache on Bing and Yahoo over the weekend, and even now some of the keyloggers are posting new details.
What we discovered is an interesting sample of more than 3,000 entries (more than 4,000 without in the raw data), containing not just usernames and passwords, but the computer names, IP addresses, and browser preferences.
In some of the cases, it is clear that what was available on Pastebin.com not only came from keylogging, but Malware that captured the stored authentication credentials within browsers, IM clients, and FTP applications. Also, there are several cases where it looks like a public computer was monitored, as the same system included details for several users. This could also be a sign of several users on a single system in a household.
The data collected by The Tech Herald includes U.S. accounts, but the majority of the data comes from users in Europe, especially Germany and France, with smaller samples from people in Russia, the U.K., and South America. Included in the harvested data are accounts that were accessed as recently as June 3, to accounts as old as January of this year.
The information dumps list accounts for O2, Vodafone, AT&T, Comcast, and Orange on the telecom front, but there are Webmail accounts, such as GMX, and Web.de, as well as a seriously large amount of online and desktop-based gaming accounts. This is telling, as most keylogging Malware targets gamers when it is seen in Europe, and Internet cafes are popular there too, which would explain the multiple accounts from the same system and location.
In addition, social networks are represented, including Facebook, MySpace, Hi5, Jappy, meinVZ, Twitter, Vimeo, Deviant Art, and Wer-Kennt-Wen. There are AOL, ICQ, MSN, Google Talk, and Yahoo messenger details. These accounts also lead to MSN, Yahoo and Google-based service accounts. Commerce-wise, there are Newegg accounts alongside EBay, PayPal, and dozens of other online merchants. A few of the users compromised exposed themselves to serious fraud given the constant presence of online banking details.
True, the social networking, banking, IM, Webmail, and other accounts exposed can cause problems. The number of ISP related accounts are an issue as well. Within the harvested information is router access, cPanel access, FTP access, domain name management, Dynamic DNS management, and hosting support accounts to name a few.
It could be argued that this isn’t news, given the low number of accounts and passwords discovered. At the same time, this isn’t the first time Pastebin has been in the news for inadvertently hosting harvested data.
Last fall, a cache of passwords from Hotmail appeared on the site. While removed, they were online long enough to have been accessed by an untold number of people before they were reported. It should be noted that once reported, the previous owner of Pastebin, Paul Dixon, acted quickly to pull them down.
However, 3,000 plus accounts is nothing to scoff at. The data that is in the raw list is enough to compile a massive Phishing or Spam list, as well as add to a dictionary for cracking use. In fact, one of the things we discovered while searching Pastebin was a brute force script for Facebook, as well as a Phishing kit targeting the social networking giant.
Another thing to consider is that even the passwords and accounts from January could still be valid, given the constant reuse of passwords. Adding to this is the other data contained in the lists, which could be leveraged for granular attacks on a network or person.
For example, some of the accounts compromised are community based forums for gamers, not to mention the accounts from Megaupload and RapidShare, clearly related to pirated material downloads.
Targeting those users with the latest 0-Day games, music, or movies would be an easy way to ensure that the data on the passwords lists are valid. The number of adult related sites and services is a second vector of attack, an old school ploy that has been used before. It’s been well established that many fly-by-night porn sites can cause problems by serving Spyware and Adware, and recently more malicious software.
The harvested data tells a common story. There’s a strong need to use different passwords depending on the function of the site. However, mixing up passwords between sites isn’t enough, they need to be strong passwords that would pose a bit of a challenge for the person or program guessing them.
One password, “tigger”, was used on Facebook, as well as Webmail and two different MSN accounts. It wouldn’t be that hard to guess such a password, and six characters is little challenge for most cracking programs. Tigger is also a “Winnie the Pooh” character. Common names, even fictional ones, should be avoided when constructing a password.
In addition, because of how the passwords were collected, it is worth mentioning that many keyloggers and information stealing programs can be blocked by using updated security software.
We’ve contacted the new owners of Pastebin to see how they plan to address criminals abusing their service. If they respond we will update this article with their comments. In addition, we plan to publish more details on the information we discovered later this week.