Custom Trojan Creation Tool Sold Online

Finch writes "Net Security.org is reporting on the surprisingly sophisticated 'virus in a can' software called Pinch. Pinch is a tool sold on several online forums and designed to create Trojans. It allows attackers to specify the data that Trojans steal. One of the interface tabs, PWD, allows malicious users to select the type of password to be stolen by the Trojan: from email passwords to passwords kept by the system tools. It is possible to order the Trojan to encrypt this data when sending it, so that nobody else can read it. 'Pinch also lets users carry out other actions: turn infected computers into zombie computers, pack Trojans to make detection more difficult, and kill certain system processes, particularly those of security solutions.'"

obligatory

[by Anonymous Coward]

Yes, but does it run on Linux?

That sounds like fun

[Anonymous Crowhead (577505)]

How much is it and where can I buy it? For, uh, research purposes.

well you're obviously not the intended market

[JeanBaptiste (537955)]

anyone who would use one of these would likely download a pirated version.

Re:well you're obviously not the intended market

[morari (1080535)]

Which is, itself, a Trojan...

Re:well you're obviously not the intended market

[X0563511 (793323)]

Please stand by as space-time folds in upon itself.

Re:

[TeknoHog (164938)]

Or as a Trojan unfolds upon my, you know.

Re:

[Antique Geekmeister (740220)]

And provides its own virus protection from itself?

I've actually heard that proposed, to send out worms via common holes to go block those holes on unsuspecting victim's computers, as being more effective than making them download patches.

Re:That sounds like fun

[Electrum (94638)]

I know you're joking, but what sort of fool would trust the seller with their own CC#?

Why does the card holder care? Your liability is limited to $50 by law, or zero by many card issuers. Merchants are the ones who lose with fraud, not the card holders or the credit card companies. In fact, the card company profits from fraud by hitting the merchant with a charge back fee in addition to reversing the transaction.

nothing special

[sub7 (187049)]

they were distributing trojans like this in the 1990s... sub7 anyone? ;)

Re:nothing special

[KillerCow (213458)]

Or the venerable Virus Creation Laboratory [netlux.org], ala '92.

Re:

[dave562 (969951)]

You beat me to it. VCL was a great starting point for learning how to write virii. It was the first thing that I thought of when I read saw the article. [nostalgia]Sometimes I miss the days of Digital Decay and the NuKE vs YAM flame wars.[/nostalgia]

Re:

[UncleTogie (1004853)]

VCL... Didn't "Nowhereman" set that up?

Re:

[Afecks (899057)]

I'm a trojan author so I'm getting a kick out of these replies...

No seriously, this is not a new idea. There was Senna Spy Trojan Generator [megasecurity.org] many years ago. However, unless the generator actually generates the source code so you can compile it, I would call it a highly customizable backdoor, nothing more.

Re:

[UncleTogie (1004853)]

I'm a trojan author...

Pardon my asking, but isn't admitting to that rather like stuffing bloody meat down your shorts and swimming with sharks?

Nothing New

[KermodeBear (738243)]

There is nothing new here.

I remember back in my script kiddie days I was able to download programs that would put together a trojan or virus together from the various options the user selected. Press a button and viola! It generated an executable. This was ten years ago.

What's so new here? That fact that someone is commercializing it?

Well, good. If you have to shell out cash at least it will keep my 16 year old self from downloading it and causing annoyances.

Re:

[geekoid (135745)]

Because no one would ever, never, ever put a free copy online somewhere?

Only 10 years? How about 1992?

[khasim (1285)]

http://vx.netlux.org/vx.php?id=tv03 [netlux.org]
I still remember the password was chiba city.

Re:

[drspliff (652992)]

Oh the days :)

"Mum, look I created my first virus"

They bearly worked and I understood nothing about the internals, but VCL is definately a prime example that this has been done many times before and is nothing new.

Re:

[misleb (129952)]

Ahh, Virus Creation Lab. What memories. Brings me back to the days when viruses were pleasure, not business.

Re:

[nurb432 (527695)]

Yes, the fact its now a "business" is what is ( sort of ) new here.

It also makes it all that more irritating and pathetic.

Difference between Good and Evil

[HomelessInLaJolla (1026842)]

I had to modify the following post to take any direct references as I have no way of knowing if you, personally, actually made use of your exploits outside of your own private testing environment...

I guess that's the difference between real tao programmers and script kiddies.

I _could_ have engaged in the same things that script kiddies did, exploiting other people for personal amusement and/or gain, but made a conscious decision not to. I saw the links, I looked at the downloads, the ftp sites, and the web

Re:

[HomelessInLaJolla (1026842)]

You haven't even asked for my resume, nor have you asked about my skills and experience, nor have you asked what I'm qualified to do, nor have you offered me a list of your available openings. All you want to do is rant. Tech companies can spend nearly a hundred thousand dollars bringing an H1-B applicant online but they can't give me a little boost out of this situation? Sounds like a fishbowl.

You qualify for the standard response...

Thank you for visiting Slashdot, yet again, to post a followup to my wr

Re:Nothing New

[by Anonymous Coward]

Yeah, Sub7 was great. I thought the most entertaining feature was being able to quickly and easily set the user's desktop wallpaper image. It didn't take long to sniff just enough of the Sub7 protocol to be able to develop a tool that would a) scan huge swath of netspace for Sub7 b) login c) download a .jpg d) set wallpaper. A lot of people back in the late 90s woke up to find that overnight, their wallpaper had changed to a photo involving a cucumber and a very hairy receptacle.

Being able to pop custom modals was pretty fun, too. "ERROR: Insert penis into CD-ROM drive to continue operation! [OK]," followed by the CD tray immediately ejecting itself, probably freaked a few people out.

Oh, to be young again, those were the days...!

I'm not scared...

[rob1980 (941751)]

If anybody tries to install a trojan on my computer, I'll hit them back.

With Winnuke95.

Re:

[dave562 (969951)]

I will see your Winnuke95 and raise you a Goldbug.

Re:

[Adambomb (118938)]

And a pepsi... .c

After all those

[rrohbeck (944847)]

"1NCRE@SE Y0UR PEN1S S1ZE 25% 1N 2 WEEKS!" programs I definitely need custom Trojans.

Re:

[Jherek Carnelian (831679)]

1NCRE@SE Y0UR PEN1S S1ZE 25% 1N 2 WEEKS!" programs I definitely need custom Trojans.

Ah, that is unless you've followed the instructions from this oldie but goodie:

--

Follow these instructions EXACTLY, and in 3 to 6 weeks you will have received well over 50,000 inches of penis, all yours. This program has remained successful because of the inadequacy and vanity of the participants. Please continue its success by carefully adhering to the instructions.

Welcome to the world of Mail Order Penis Enlargement! This little business is a little different than most cosmetic surgery. Your product is n

"Do-It-Yourself Trojans"

[Fedorpheux (912926)]

A great slogan for this program, but I bet our latex buddies have an entirely different interpretation of that...

Re:

[Penguinshit (591885)]

"Don't go off unsafe; be cock-sure! Come prepared with Trojan Condoms!"

Aww yeah! Custom Trojan Creation Tool! Giggety!

[Greyfox (87712)]

I'm going to design mine with the ribs on the inside! For my pleasure! Aww yeah!

What I wonder...

[misleb (129952)]

I wonder who actually pays for these tools? Seems like such a tool would be freely downloadable after teh first purchase. I mean, it isn't like the author is going to try to sue you or anything (though maybe he'll DDoS your download site). It would be like a drug dealer calling the cops because someone stole his supply.

-matthew

Yeah, and no drug dealer would do that...

[benhocking (724439)]

Oh, wait... [cjonline.com] ;)

The price of the server is peanuts.

[symbolset (646467)]

It's the per client licenses that kill your budget.

I'd like to see the EULA

[NotQuiteReal (608241)]

Does anyone have a copy of the EULA for that software?

Re:

[CautionaryX (1061226)]

EULA

By agreeing to the purchase and install of Trojan-o-Matic, hereby called the 'Software', you agree to host 'x' amount of porn or phishing sites. The amount is determined by the Software according to its use and the creator of the software. At any time, you submit your computer to be a host server for the Software Creator's Nigerian email server. That is all.... oh, and your bank account is empty.

Re:

[Havenwar (867124)]

EULA, Pinch, 2.60
I reserve the right to go ballistic on your ass if you rip me off. (But feel free to redistribute if you include your custom trojan in the file.)

EULA - most other software
[four to six pages of nonsense much of it in all caps, mainly stating the exact same as above with the exclusion of the parenthesis but adding a page or two basically saying "I can also castrate you with a dull wooden spoon if you do something I would rather you pay me extra to get done."]

security solutions?

[Sloppy (14984)]

kill certain system processes, particularly those of security solutions.

If you run trojans, can it really be said you have a security solution to be killed?

slashvertisment?

[muszek (882567)]

it's the first slashvertisment that makes you search for the shop yourself...

Name change

[blueforce (192332)]

Either the black-hats or the condom company, but someone has to change the name of their product.

These subject lines are killing me.

Mod me flamebait, but

[postbigbang (761081)]

Since I have to take care of a lot of machines of people that get these things, my otherwise non-violent nature would like to find the authors, well, in a Turkish prison. Yes these things have been sold on the net for a long damn time, but I've also had to scrape, reformat, debug, and otherwise keep hapless unwitting people from the damage these things do. They're often chained to using Windows whether they want to or not.

I've seen them spend hundreds of dollars on both prevention and cure, only to get owned again. This isn't about Microsoft, this is about guys that are the seeming equivalent to those that might cut brake lines in a car. The outcome isn't injurious physically, just emotionally/mentally and financially.

My hacker instinct says always continue to hack and explore and try and break things, but selling trojans seems way over the top. No fucking 'let them download Ubuntu or get a second mortgage for a Mac' shit. This is real, this is vulgur, and this is a business plan for bright guys gone bad.... and I don't get paid for scraping this crap.

You fail it.

[symbolset (646467)]

You seem smart. Nevertheless you're solving the wrong problem. Solve the right problem and it will be ok.

Whoever wrote that and released it ...

[ScrewMaster (602015)]

needs to have his liver removed with hot pincers.

The Future of Anti-Virus

[Nom du Keyboard (633989)]

I'm believing that the future of anti-virus/rootkit solutions has to be a live CD that runs fully independently of the host system and software being scanned.

Re:Scary stuff to be sure

[realmolo (574068)]

Eh. Trojans/rootkits/viruses built form these "kits" tend to all be very similar. Essentially, if you defend against one, you're defended against all the others.

Never mind the fact that it's a fucking KIT. If YOU can download it, so can the anti-virus people in order to figure out how to detect viruses made with it.

The interesting thing about modern viruses/trojans/whatever is that very few of them are really *viruses* anymore. They rely almost completely on simply getting a user to manually run (or at least give permission to the system to run) an obfuscated executable. It's sad that the technique is so successful.

Re:Torrent?

[Havenwar (867124)]

Oh, actually a search for "pinch" on emule turns up quite a plethora of results... although once you've sorted out the porn and downloaded a few exe files (yes I know, for most geeks this is the exact reverse of the normal process), for some odd reason antivirus warnings start to pop up... apparently two out of three pinch downloads was infected with "Win32/PSW.LdPinch.P4 trojan" and the third with some other crap that I forgot to write down.

You can almost see the scriptkiddies sitting there with their brand new trojan going... "hmm, now if only I had some program to trick people into downloading... something I could merge my trojan with to start off my botfarm. Something I could put on fasttrack, and maybe emule... something idiots would download and run even if their antivirus goes off. Hey wait a minute, I'm an idiot and I just ran pinch even though 'norton' told me it was bad for me!"

Re:Torrent?

[PCM2 (4486)]

apparently two out of three pinch downloads was infected with "Win32/PSW.LdPinch.P4 trojan"

Did you stop to think that maybe the construction set was identified as a Trojan because it ... you know ... contained the code for a Trojan? As in ... if it tripped your antivirus then you probably had the right one.

Re:

[EVil Lawyer (947367)]

He did consider that. His point was that precisely because of what you're saying, people will run a file that's supposed to be Pinch, even if they see a virus warning. Therefore, it would make sense for people who want to create a botfarm to make a virus with Pinch, and then throw it up as a torrent and say it IS pinch. Get it?

Re:

[Havenwar (867124)]

Well, yes. Hence why I found it amusing that only two out of three downloads (of exactly the same files according to filename and versions and all... except filesize) warned about that particular trojan, which could logically be an indication of it containing the code it will later use. The third occasion warned for another trojan, which means that either that was the correct one, or it was infected with another trojan. Of course they were all infected, as was blatantly obvious hours later when I sandboxed

Re:

[rantingkitten (938138)]

Considering that "virii" is a made-up, non-English word, then yes, I can believe Bush using it and being mocked in the media the next day for another brilliant Bushism. The proper plural is "viruses".

Hate to be the one who bears bad news. And by the way, "boxen" is not a real word either.