Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Sunbelt Tracks DIY Trojan Builder Program



 By: Paul F. Roberts
2006-01-19
Article Rating:starstarstarstarstar / 4


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Sunbelt Tracks DIY Trojan Builder Program
  2. ' The Hackers Mistake '

Rate This Article:
Poor Best
Sunbelt Tracks DIY Trojan Builder Program
( Page 1 of 2 )

The security company warns of an easy-to-build Trojan virus kit for sale on the Internet that allows even inexperienced hackers to steal credit card numbers and more.Researchers at Sunbelt Software Inc. have uncovered a special program they said they believe is being used to create keylogging and Trojan horse programs that target customers of financial institutions in the United Kingdom, United States and Canada.

Researchers recently discovered the "builder" program on a Web site that was harvesting information from a variant of a Trojan horse program known as WinLdra.

The program provides an easy-to-use interface for creating new variants of WinLdra that can steal credit card numbers and online banking log-ins from machines on which it is installed, and can direct e-Gold payments into an account owned by the attacker.

The builder program makes it easy for even unsophisticated hackers to create a specialized Trojan horse program.

It may be responsible for a flood of WinLdra programs in recent months that have stolen information about thousands of customers of banks and financial institutions around the world, said Eric Sites, vice president of research and development at Sunbelt.

Resource Library:
The program is not unique, but is evidence of a widespread and sophisticated online operation selling software that is tailor-made for identity theft, Sites said.

"This is a kit for building [Trojans]," Sites said. "Its user-driven. You can fill out a few check boxes; its branded and comes with a help file in Russian and English."

Until recently, the software for creating WinLdra Trojans was being sold from a Web site, www.ratsystems.org. That Web domain was first established in September, 2004, and is registered to an individual named "Dimitry Semenov" in Moscow. The Web page displayed an "under construction" message Thursday.

An extensive help file that was discovered with the Trojan builder provides instructions for creating a unique version of program and advertises its information-stealing features.

Click here to read about Sunbelts plans to release a free tool that detects a sophisticated keylogger threat.

In the help file, the Trojan program is described as a "UK account grabber" that targets Web sessions by customers of banks like HSBC.com Inc., Barclays, Lloyds and NationWide Bank. It has features that intercept form data and sequences of symbols, such as special digits of a social security number, according to a copy of the help file provided to eWEEK.

Users are also given detailed instructions for deploying the Trojan program, including directions for modifying and uploading script and configuration files that will transmit stolen information back to a computer controlled by the attacker.

Other features in the builder allow the attacker to configure screen captures of the victims machine or run commands that turn the infected computer into a "bot" that can be controlled from afar.

One feature even allows the attacker to provide an account number for online payments company e-Gold Inc. If a user on the infected machine attempts to make a payment using that service, the Trojan will reroute the payment to the specified account, Sites said.

WinLdra is typically installed from malicious Web pages using exploits for holes in Microsoft Corp.s Internet Explorer Web browser, Sites said.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

In one case, the program was even distributed from the Web site of a legitimate New Orleans-based company that sells fishing equipment, he said.

Once it is installed, the program immediately copies and transmits the contents of Windows Protected Storage, which contains saved user names and passwords that are used to access protected Web sites, as well as information stored on any Web forms the user has interacted with.

Often that action, alone, yields a treasure trove of information to the attacker, including credit card and social security numbers, Sites said.

Next Page: The hackers mistake.





  Reader Comments: Sunbelt Tracks DIY Trojan Builder Program
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}kw89v2k=mGʑ-9Ķ<OrJ$)CR}O=Ox-v9%, UBPλ$9acr3ݩc}:I]"I~x(3`R˩8AZNɑ!,Շ)~-slrCjwGl$J~x'AT{# xL95Μ k9ԗoˏne0-ZAQ6)֐N0o-Z P8 {(Z= ?+B4e$oQX}؁䛿Q=2pS6BT!|@J%h!GQus_;ό3!X]~j4LߵXhj9:TN`Uƞfn aZ.91rx&=׽@ *YsDƞIC d"LJN`:p,#G^Cݡc9 N\^ ZSӂ螩[{mɧ9u]kԏPL0H -{`<I%$7 .lq_-%0/<{edС!ZdQ-}9e feo6 usҾVUBXW{]δ ηL{voT3}3?~)eUe{>̑Ko5-%uP:I\t>Ƀ59N6 Hw&LT)Jj\(NLCa:|5 3P%Je_P+(.a[zOa`%pfQUe:5'sK׺jw[:>=jN}3fP+M~(#3hؕΊgxkZu\49utH}"+|qf5 0\6:֪V1?x?-|kh2`=t8Lwj/ ?5;ǽ/-2 OGgcdp,^w~F y훨-tK[9K }!xcw%#,_ fk7 Jsa)":sP;H}ڊNm҄ 9B:%ϙy[7hr Ce)#8?݃IhJq䰉cYSl؅ Ro4'M XRU>hI"A[fT}O%ތE z%Ku}7pCKчfeٜ҅%]WaN oQ#L .ϱV$E[nC 8^%g 5F8 ,heݴ%!g8WG5MGRޏMfzX}U95|Qnl 2XjXvR7HYA^` :)~ѧ!>RÜMkݶOCGs>H2胎6ml-ÉIXn`vthoQp{4ڭ,%_ >< )ZN=H:}mP`95$ǶCMߟL-s#08wwɭ 5y0ݻi`y1&=բ !Tgg ,zz>)@}9\PlmV7-}`Z`1 5fCJKm@i0xz dQJ ds 4.gP)AH = 99 ŊIޑvZ*&RP*m=!ԑt挝Z*ݗh3aGe-n^ $ d6g2+IMipj1!UG,D`v9J,L.[ O6jԍebQ9Դr>Ҥ75C0sҺ<L X&1# K8Y6fzn0  Iױn)`6Ê0ӊYsƾ s>xF~KMM ݜ6,'pB"+H5L6LhH,ioasYu-yA\'ސN86̜w07ÚL ~D'艉m>`4fs)wdm˴o)TЛv39n(!+hWY 2cdRUyrt+[Y3nR>=Mr=""ǰ]_7n>DL)^HIRЙj!@9z٧l)3-$֒eRum"$l J=Ұ.Z*X!d[}aa6E]QZRKHD@CR)Ե ŠaY^`(ytM̆Т~҆}T}Ss . XTM._ }d2ê%M*ګY37ld tAqFA͐`@ELl5K թw@4="I;k\OMπ|P93?棄YTp܉4hR*}a5)4&0Sӹbp=q |X0b=9ߛ8[%5n/.{gK Iky]ؑ.RLjFd>j'L[aHz{>cTfha82-|?x;Hy¤cI_.)UI?O~1:2.eX k9eOf3nIp]i%rnڳHx H_Gs@B(T2`LHG7S] eQaȣuE_z?6jcXe[;pM2tH} [LglQIB>O RN]'Xk5F>սD:#DA#E . ZCsЏgBrAaj H"T `nR@;kRUԓtZC ^~vJIڶdt8}ڥnssQ*/KW3g R|ۏjZ(T+15UT9,J7+|&)R3Kc N_ޝ{o{䋲ߧה{`3\xK}`x䓋2,*`ز|˘ZմlxXaWJ$z`LFsZman0L;3N۩O6{1 "9&Ԧg>jאj8}0hݤS(H[D`; nUESU[z7fy@L Gzx؝LHuҘN7Hi炚X9bRkEBZG ?cqi@?k@Úaž.JeZPKknxEk‡1wር54& u|8꓍ZJ5qv3Ty9kY%f+aEoM4=<^CP$*=~ O#eIF:#}x3s?LWEnkPkw(* Kq3`9S"象mBxu_+'&lE6Xil=vH| f^[~{?I ~9p驔rgHWtq͡/3Onq, ҧw4A̘5YTZBW}X`" ]1SLB]ITY) q g@Zf2U)+e"m=O \X Z>&RrEuE;tЋ­7*P#I{(U?"⃤j^7 JO C.:͂Fpi-EB%3B-ܛ`@O|C] 0%enzIMqza/;nK-%.O ^ذ:z6]6%Q;k\!c̚Òf$S, .IG:-ef{F*ݐ7UU :*ijAROpӁ9tGl~" tDwe2qy27(kMn@&ݙ}adJ@*5]*;_ 1s0G\0R,WzHp?lZ.+~d9#T`| @-a'd1s<ēo =$Єןۆ +~W?l)ɁXXD>Diz\{e">QP(k= ת)&b}* N= A$K~O:=q>rg| 8}_e;AN{Q~ZrwԸGZ`>|?H㇫Χ>o|h0.[-tJj2m&A)`Q?rfWOFپ ]wᳳI/`y BN9pWKǝ?wH-)^s)z0WN8k8`IN*axո O8>n48Z&IEyDCwȰ Z_ƥsl]qfiZ ^Ok5W'27p- ۵}g#s~uY PH2>(_!aPHR ~tDݽkwޗz?$i^_{w jEpASB9kթ-pOӆO|BYAJ;DLA2߄q?Ic6uYP$<2ON)tJȓÓ!D=)*ښIդ"8I5F4A2 uIH? Md4XPW Pقt/'59۴8]>u<<RpLCRC}8 'B}$XyC(Ť3DJ^KjpVKu^N4~xr'|xj}yUi^;GNĶ;S f#m{'M{q?I8t2Ti\'3XrwѺB ~ݾM5TAΐvY?yxXT7mD1CrYuE_zQ WO$ t{Do7ۨ;.|ʜ(=~![5zxyu?sFΛ=[o5e'37)۝tNiamǡ850Nt,4P$yUZ/WU $]te%FtZx@2&j%3 =ki^x̠t4l>g[f1vfw ݷP Y.=]bwQ[]xŞvYiIU.J\-"PnǸZZ|:W%0.րzԧSӆ5er e%Aa dœVT.|sx*Y-<{%SZ<.֟a .*Ӹt8Swcy7J1z 7*7eUrr? 6)c0p]}D33\8rǽHwk'ob*IL][@2:$<,FF?ue".#Y'zw6S* w2g@½X ){@\1tҋA8ANbs¡" :˲2cZXX9-ĖAVMc[*n:g384c:&rœ(*aYfi1cϭ։vR{h܇If*qCJM1+c3}&%%KR$]q"q/.+q=MnA$q` ,U j)N4{4Kk21"$7_y5VR&&rDyBdB]i/)d<9x,<>ːbBp0nQ/y 9 2hE^+%W+GYxhYlޠxu?ȮyO-FLZ}%$~ZVS/77o9_c YK”h9G{i#*M[ N;Kc|j;VG3/I'i,$R ?&!XMGjR G|SiQF>XJ^4%S^!#Yߴwo@ʒR &ўI>}. cԻs +Rs~mI/T-]>? E8,ӶpXa@7K*M٧a18Rr;„҉z΀eX)3w!H&[ $ A#L}] xx xi{^JZ&BhLLe}mQݟH7O"}6=XM+;9mVpE,|*Ҷk=k^s=BĴPG3[OmRjRO ,_#PCGLL # 'zfV#^ t>b>ecKsO)n@u0/6v+8@bd HBQD H޶ Wʦ Wyv;濙nhžtو%qtoeJl! uVG6ַK-cRI]GtqewwwwP4X|2W/#Far& g0a&_ sń$z:j!~(O9n8zĽ@sbAv(xMFQm6'0pD%$O9O91DqkQcL5#2 k('>?D'%:Zgy nb+\@,vaM)ȁ.b˫1ʱ, <~܉{!,p;rZ4얜䀲e2~bJbFyA y!Fv#͏;Kb+I7;$q`+jj5BA^ #a"ckjrD,?t$"RV./>1>B,tAe3)Muk 0#\"ΩTh,vxOȥkc.ZEWWK.;&ZbiE.c 2uuWHk̘xh4vlNz yԥ:BM\ETBhrFZj>A1R`s05̈bvӚ lzZC2J[76]4_q=!o7ݙAfnVu&KoVy#On@tOa DXrX\Ҋ poN39$.+Ja Sۙ!k:ȳ6āي_{\o|J7O>B8!iPͰֺxuU1"'p`\`sr(@KK*2&Bs8{_]&j&[ր aNJx*ϙF$hD1f 6+^ô֌͈ iu/<~`A={Qi_21Fiŷn(l;b21#|>Oc&ڗI&FK1tQ:..( oI[PXP؟?pk2&H0Zkf`:>"(S[]ă0>]w7S0MpWFj9v``\ovN*' @=:ςp s!aZ;<$QB<䱤Pl <'/pm|?݉9e/( p @Ka1c~PoVR$4 >+>gٕa)豪ٕo)^M ;eer =M蕴B^Ȉq/Y40u0 }a3brMt?L ˳/sE"OGeݹ G5}¶V-r5uu_;_N˫E%Rdg&R0mw 5Eš\ «.Y2U94dG0=4y E^wD(/& F^ Àacl^]-Zq Y'>;j12;Ztt{r:X)` ZIe p!>EZ=ҹhIJ/6΀2?BnjP5 ʯ֗7S(d#֗7VF1/?dCF?|OO۹i{}yпvF?Ӿ(3f/Y|sgϳ}3{9Ϡ99yg'EsF)f Q~0{s!?0~ׁw2?/ r qeW?Wwn=^X_ S}Y >>gʯʁ3ڿh:s$eCPȐ%.Np2KQʠ/ޯs2 'GY+wU/3yk86? Vt{r*%n q9xL|uӚܴO] v<2kݫ++#BAfПb 9y?&OxVfw}4(w[Йq2ޢD)+Fyk@ä{zY)W͸aPcnU= !Yڳi>Y3,mcq) ?`-kD:'鴔q8ScӄY"Døf|z4}z<8ül1@Щ z\w 0 hJ/.ӡxKQ,Vk.;|3sxíd<@T6rֆwr$!{H-=I߿\=u{ĪD}Q!rE>D gMEFIm{䁴x!FxSSjIeg ̸&$}*)ëLi'UGz0$YLAƊr2Fdu#aq1<́Pnl@Pl]|݆-gf+f1gxp1?-mgrlCk qg[qœj@@rĶeN(Z P›?k&.xY~1'A>ಓH_c'cEwy&bb P|_ |fڳ{I !fIw&  _cm%^#%aBcM=X7`ǹ~rh`=F(aO$VSP}XG-N-Ntk&|c C >%Ͷ cTF\gȌa)xD=RcЁ_454:X-5,l$9=ASh4OW5EXI% i[j9.KPRJVr.Q ?vFwU7"1b9?"ㅰxo!Z^y|XT ,sD?>K:[S1U1ւ_6/gз/;MzKV9((& ]a)Jq񵙼$tfP/9"Ź oPmB0wC{ ,CP6vo>Lcc? `vwbxS'eMc(ŬBCd=)O?7G[nI\k<>ci xqzc<znG}4y֢ƘJu!A]=_vs[>/'R`ˣŬ"D0Ȯ'Z:tsh;h[3THهl*~&/&,{k+НTnxFK-^P?Q> χ"@Ԃ+"e})IDy)/π/(83}E.tG:.RXBYS$DU $Rzf}!Y/ ~} Wha<y&F{5J"<&o(FҢΰ \岞+jaKmwN~늘p6JL? ۔9MR"GZi/%!zR4էr0>d֌V&|ƷZ2cˤ_ &&