The term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.
Info stealers may use many methods of data acquisition. The most common are:
- hooking browsers (and sometimes other applications) and stealing credentials that are typed by the user
- using web injection scripts that are adding extra fields to web forms and submitting information from them to a server owned by the attacker
- form grabbing (finding specific opened windows and stealing their content)
- stealing passwords saved in the system and cookies
Modern info stealers are usually parts of botnets. Sometimes the target of attack and related events are configured remotely by the command sent from the Command and Control server (C&C).
The age of info stealers started with the release of ZeuS in 2006. It was an advanced Trojan, targeting credentials of online banking services. After the code of ZeuS leaked, many derivatives of it started appearing and popularized this type of malware.
In December 2008, a social media credential stealear, Koobface, was detected for the first time. It originally targeted users of popular networking websites like Facebook, Skype, Yahoo Messenger, MySpace, Twitter, and email clients such as Gmail, Yahoo Mail, and AOL Mail.
Nowadays, most botnet agents have some features of info stealing, even if it is not their main goal.
Common infection method
Info stealers are basically a type of Trojan, and they are carried by infection methods typical for Trojans and botnet agents, such as malicious attachments sent by spam campaigns, websites infected by exploit kits, and malvertising.
Info stealers are usually associated with other types of malware such as:
- Downloaders/Trojan Droppers
They are represented by malware families such as:
- Neutrino botnet
Early detection is crucial with this type of malware. Any delay in detecting this threat may result in having important accounts compromised.
That’s why it is very important to have a good quality anti-malware protection that will not let malware be installed.
If the user suspects his or her computer is infected by an info stealer, he or she should do full scan of the system using automated anti-malware tools. Removing malware is not enough. It is crucial to change all passwords immediately.
Info stealers are dangerous for all the users of an infected machine. The consequences are proportionally serious to the importance of stolen passwords. Common dangers are: violated privacy, leakage of confidential information, having money stolen from an account, and being impersonated by the attacker. Stolen email accounts can be northerly used to send spam, or a stolen SSH account can be used as a proxy for attacks performed by cybercriminals.
Avoidance procedures are same as for other types of Trojans and botnet agents.
First of all, keep up good security habits. Be careful about visited websites and don’t open unknown attachments. However, in some cases this is not enough. Exploit kits can still install the malicious software on the vulnerable machine, even without any interaction. That’s why it is important to have quality anti-malware software.