I recently came across a rogue security software (aka “Fake AV”) variant
Troj/FakeAv-AAL which, in addition to the scareware component, downloads and runs a packet sniffer
Troj/Sniffer-R. After pealing away the encryption layers, the credential-sniffing logic is quite simple. The trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21 — the FTP control port number. It captures the host name, user name and password for any outgoing FTP connections, and checks the user and password combo are valid by parsing incoming FTP traffic for the ‘login success’ status code. Only the credentials which result in a login success are subsequently reported to a remote server — which currently maps to a known malicious domain associated with rogue security software.
