ID Theft Keylogger Examined

March 8, 2008 – 4:16 PM

I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.

Since the HijackThis log entry now has been published elsewhere, including on Sunbelt’s web site, I will go ahead and reveal it. Download HijackThis and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 – HKLM..Run: [load32] C:WINDOWSSystem32winldra.exe

Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page (http://research.sunbelt-software.com/ssaclean.cfm). Download the program linked there, then unplug that computer’s modem from the internet. Leave it unplugged until after the trojan has been removed. I’ve submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don’t already.

Sunbelt has named this trojan Srv.SSA-KeyLogger.

After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.

Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.

This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.

At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.

CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.

The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.

Once the keylogger is installed, a surprising number of things happen to the infected computer.

Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker’s web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.

I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.

The keylogger itself is set up to run every time the computer restarts. A registry key is written which loads the keylogger even before any user logs into their account. Again, that entry can be identified in a HijackThis scan as O4 – HKLM..Run: [load32] C:WINDOWSSystem32winldra.exe

This spyware also performs another very cute trick. Just in case someone has discovered that malware has been installed and tries to clean it off, a PE virus infects a harmless program set to load at startup. The program that is infected is chosen at random from the list of start up entries found in the registry. Once this is done, the computer is reinfected with this trojan when it restarts.

This keylogger appears to be designed specifically to capture passwords and user names. It captures chat sessions, collects passwords from various programs such as FTP clients. It reads information from the Windows Clipboard. It also captures data from Internet Explorer’s “Protected Storage”. This information is dumped into a log file. Once the log file reaches a certain size, the information is uploaded to a remote web server.

After some research, several people have found indications that an older version of this trojan has been infecting people for several months, possibly as far back as December 2004.

A web server is installed on the computer, along with a PHP scripting engine, allowing PHP scripts to be run on the infected computer. PHP is a scripting language used on millions of web sites, including Spywareinfo.com. Some of the PHP scripts included with this trojan allow a person to run programs on the infected computer from a remote location. We are still studying this web server.

Both SMTP and POP3 email servers are installed. Shortly thereafter, the computer begins spewing out spam.

Part of a rootkit is installed, which has been identified as Haxdoor.

The Windows Task Manager is replaced with an altered version.

Internet Explorer itself is infected. A DLL library file hooks into Iexplore.exe using process injection. This means that a firewall might not prevent this trojan from accessing the internet.

The Windows Security Center, installed as part of Windows XP SP2, is disabled. The Windows Firewall and the Automatic Updates services are disabled. If the computer is running Windows XP and does not have Service Pack 2 installed already, the registry is altered in a way that would cause installation of this service pack to fail.

One person reported that files from the program Total Uninstall 3 had been modified to render it inoperable.

The trojan connects to a certain page of a certain web site every five seconds. From this web page, with no password needed, someone can send commands to every infected machine still connected to the internet.

This very clearly is one of the worst malware infections I have ever seen. This whole newsletter is two days late because every time I thought I’d finished this article, we discovered something new about the trojan.

Again, running this tool from Sunbelt (http://research.sunbelt-software.com/ssaclean.cfm) should remove this particular trojan. Other antispyware and antivirus products should begin detecting it very shortly.

Credit for all of the analysis that I have tried to explain here goes to a large number of people: Patrick Jordan (aka Webhelper), Eric Sites and Alex Eckleberry of Sunbelt Software. There are a couple of researchers from Microsoft that I probably shouldn’t name. Eric Howes and Suzi from spywarewarrior.com. Paul Laudaski (aka Zhen-Xjell) from Castlecops. From the online antispyware community; Tuxedo_jack, JackB, Avohir, Grinler, Mike Burgess (aka WinHelp2002), Merijn, Metallica, Didom, TheJoker, cnm, jedi, miekiemoes, Swandog46, Atribune, WaRHaWK, Bobbi_Flekman. If I left anyone out, I apologize. There literally were dozens of people picking this thing apart over the last few days.

We are continuing to post news stories related to this ID theft ring in our news section.

http://www.spywareinfo.net/aug12,2005#Srv.SSA-KeyLogger

Posted in Hardware, Internet, Privacy, Security | 1 Comment

Disable ActiveX for safer Web browsing

March 8, 2008 – 4:15 PM

Unfortunately, ActiveX controls are ideal tools for those who would attack your computer. Over the years, Internet Explorer has been their favored vehicle. It was built to take advantage of ActiveX controls.

These controls pose a serious security threat that outweighs their benefits. So it’s important to take steps to protect your computer and data from these threats.

You probably have encountered ActiveX controls on the Internet. Web pages that play music probably use them. ActiveX controls can also open Windows media movies or Word documents inside a browser window.

These small programs can do virtually anything. Thousands of ActiveX controls are available. And when Internet Explorer downloads them from a Web site and runs them, they have access to your computer.

Other technologies, such as Java, can also run code within a browser. But by design, Java programs have little access to Windows.

Problems with ActiveX have been a big contributor to the poor safety reputation of Internet Explorer. Firefox (http://www.mozilla.org), a free alternative Web browser, has captured a significant share of the browser market. One reason is its reputation for safety, because it does not accept ActiveX controls.

Unfortunately, you’d find life without ActiveX inconvenient. Windows Update, for instance, requires ActiveX. You can’t use Firefox to update Windows; you have to switch to Internet Explorer. That is occasionally true of other Web sites, too.

I use Firefox for safety reasons. I have installed a plug-in, IEView, that allows me to switch to Internet Explorer when necessary. This might happen when a page is optimized for Internet Explorer, and doesn’t work properly in Firefox. That could be because of ActiveX, or it might be another feature.

To find IEView, click Tools>>Extensions in Firefox. Click Get More Extensions. To use IEView, right-click the page you want to open in Internet Explorer. Select View This Page in IE.

ActiveX Controls should be set to a safe level in Internet Explorer. You can do that by using the factory settings. Click Tools>>Internet Options. Select the Security tab. Be sure the Internet zone is
selected. Click Default Level.

If you want to continue using Internet Explorer, you can turn ActiveX off altogether. To do that, click Tools>>Internet Options. Again, be sure the Internet zone is selected. Click Custom Level. You’ll find seven settings for ActiveX. Disable them all. You could set them back to Default Level when you need them.

I still prefer Firefox. It has had security concerns, but it has one big security advantage. It is not part of Windows. Internet Explorer is an integral part of Windows, making you more vulnerable. So I only use Internet Explorer on sites where I have an expectation of safety.

ActiveX is typical of older Microsoft products. Internet Explorer, and its ActiveX components, was built to maximize convenience and pleasure in surfing the Web. Less thought was given to security. Internet Explorer 7, which is under development, should certainly be safer.

In the meantime, we all have to use common sense with today’s Internet Explorer. When you use it, stay away from questionable sites, and don’t download things you don’t understand. Use a firewall and pay attention to its prompts. Keep your anti-virus and anti-spyware software updated. That should keep you out of trouble.

http://www.komando.com/kolumns_show.asp?showID=8938

Posted in Internet, Security, Windows | No Comments

Be Careful With Your Password Away From Home

March 8, 2008 – 4:14 PM

The US Federal Deposit Insurance Corporation (FDIC) is asking banks to warn their customers against logging into their accounts on public machines. Many computers used for public internet access have surveillance spyware installed on them. The spyware might take screenshots, record keystrokes and monitor web addresses visited; … then send all of that data to the person who installed the spyware on the machine. This is no theoretical problem. It has happened before.

I think the safest thing to do is to assume that someone IS watching your net traffic when you are on a public machine, whether they really are or not. Assume that someone is peeking and don’t give them anything valuable to peek at. I wouldn’t even log into a Hotmail account from a public computer, much less a bank. Logging into a bank or into Paypal or anything that controls money is something you should never do from a public computer. Ever.

If you are traveling and have no other way to check your email, a public machine in an internet cafe might be your only option. There are a few steps that you can take to make that a little safer, though it still is not “safe”. Before doing anything else, go into the options of the browser to disable autocomplete. In Internet Explorer, go to the Tools> Internet Options > Content tab and disable all autocomplete options there. In Firefox, go to Tools > Options > Privacy. In Opera 8 or above, go to Tools > Preferences > Wand.

Now you need to verify that it has actually stopped recording autocomplete information. Go to your email site and try to log in with a fake password. If it offers to save the password, something wasn’t done correctly. If it doesn’t offer to save the password, close the browser and then go right back to the site. If it has saved the previous fake password you used, something wasn’t done correctly. Go back and try to turn off autocomplete again. If it continues to save the password no matter what you do, do not use that machine.

Next, you can check for spyware. You may or may not be able to install programs or access a floppy or CD drive on the computer. Chances are, you can’t. Go to SpywareInfo’s online scanning page instead. That uses an ActiveX version of X-Cleaner which will do a scan for spyware and adware. Since it is ActiveX, it will work only with Internet Explorer. If the computer is using a different browser, try the online scanner at Trend Micro Europe.

If it finds spyware, you may not be able to remove it, depending on what has been done to the computer, so don’t try. You may not be able to reboot a public computer anyway. If the scanner does report spyware, either move on to another machine or just go elsewhere. Be sure to report the problem to the manager of whatever business is providing the computer if possible.

If it doesn’t find any spyware and you have successfully disabled autocomplete – and you are certain that you really want to log into an account from there – then go ahead and log in. If it has an option such as “this is a public machine” or “save your password on this machine” or similar, make sure you take the option of not saving the password. Afterward, close the browser window, then go into options again and delete all temporary files, as well as all cookies. Then go right back to the site you just used and make certain it doesn’t log into your account automatically.

Don’t assume that you are safe even if you are using your own laptop. For one thing, you are using a strange network and who knows what may be monitoring that network. For another, you can never know if the person in the next room or parked outside is sniffing at your wi-fi signal.

Once you return home to your own PC (which hopefully is spyware-free), you might want to change the password at any site you logged into while traveling. If all of this sounds a little paranoid, just remember, it’s not paranoia if someone really is watching.

http://www.spywareinfo.net/july31,2005#fdic

Posted in Internet, Privacy | No Comments

USB Devices Can Crack Windows

March 8, 2008 – 4:13 PM

Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device, according to an executive from SPI Dynamics, which discovered the security hole. The buffer-overflow vulnerabilities could enable an attacker to circumvent Windows security and gain administrative access to a user’s machine.

This is just the latest example of a growing danger posed by peripheral devices that use USB (Universal Serial Bus), FireWire and wireless networking connections, which are often overlooked in the search for remotely exploitable security holes, experts say.

The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics.

http://www.eweek.com/article2/0,1895,1840141,00.asp?kc=ewnws072505dtx1k0000599

Posted in Security, Windows | No Comments

Browser Alternatives Are No Guarantee of Security

March 8, 2008 – 4:12 PM

If you use an alternative browser–Firefox, Opera, Mozilla, or anything not named Internet Explorer–you may be feeling pretty smug these days. Every time you hear about another patch for IE or about another way hackers use that browser to attack unsuspecting Web users, you think to yourself, “I don’t have to worry.”

Well, think again. The fact is, alternatives like Firefox have security problems of their own. And even if you don’t use Internet Explorer for your everyday browsing, you still have to keep it patched: Those ever-creative hackers have found ways to enter your system through Firefox, and then exploit IE.

If you grabbed your copy of Firefox or Mozilla a few months ago, you’re at risk. Programmers have discovered at least 28 holes in Firefox since January 1. The Mozilla browser shared 27 of those problems with Firefox (click here for details). You must install a new copy of the browser. Use Secunia‘s tool to see whether your browser is vulnerable.

The right piece of malware could trigger older versions of Mozilla or Firefox to launch programs at will or to read data from the browser cache out of memory, threatening your privacy by exposing your browser history, search queries, and possibly passwords.

Opera has released security fixes this year, too, though fewer than Mozilla and Firefox. To get more details, click here.

Merely patching your alternative browser isn’t enough. Security researchers recently discovered an exploit that uses the browser plug-in Java to worm its way through Firefox to get to IE. It then uses IE to launch a blizzard of pop-ups.

That means you have to keep up-to-date on all those IE fixes you thought you could ignore. And you have to make sure that any browser add-ons such as Java are secure. (If you don’t know which version of Java you have, click here; and pick up the latest version from Sun here.)

It’s tempting to think that using an alternative browser is like going back to the early days of the Web, when you didn’t have to worry about safety. Sadly, those days seem to be gone forever.

http://www.pcworld.com/howto/article/0,aid,120768,00.asp

Posted in Internet, Security | No Comments