While reading one of the blogs from the websites mentioned in our reading list, I came across this blog which talks about the case where the malware present in the system was trying to steal the several image files like .jpg and .jpeg. They had also noticed that there was also network transfer of several Windows memory dumps (.dump) files which is usually created in the events of crash as to diagnose the cause of crash. The files were stolen and were send on FTP channel. Events like are not new few years back also there has been some events where the hackers intruded into the celebrity machines and had stolen some of his personal files.
Some of the screenshots of what they had witnessed looks like:
In the above figure it actually shows that the FTP server is storing all the files received from the victims machines.
They had witnessed the transaction of .dump files also along with .jpeg/.jpg files and having most files in the category of image format they believe that .dump file is just a typo for .bmp file format. But i am not convinced with this argument as it may happen that even intruder also wants to leave the same impression that its all about the images and docs only.
Their argument that .dump file was just a typo do not convinced me, as usually whenever the dump is created system data also got archived and in those files information regarding the host machines get stored like Windows registry, firewall configuration. These information when used properly could give complete access to the users machine which is far more asking ransome about those files stolen from the victims machines.
References:
1) http://surf.ml.seikei.ac.jp/~nakano/dump-restore/dump-restore-mini-HOWTO.en.html
2) http://blogs.mcafee.com/mcafee-labs/image-theft-via-ftp-could-be-first-stage-of-attack