The Hackers Mistake
Sunbelt researchers first discovered the WinLdra Trojan in August and traced its communications to uncover evidence of a massive identity theft ring. Since then, researchers at the Clearwater, Fla., company have uncovered many more variants of the Trojan, which is believed to have been around for more than two years.However, the point-and-click builder has also been a gift to investigators. Malicious hackers who follow the canned instructions to the letter often forget to secure their log files, allowing law enforcement and researchers to recover the data they have stolen and alert consumers, Sites said. Sunbelt has passed information about thousands of individuals whose information was stolen by the Trojans and stored on the Internet to banking officials and officials at Visa International Service Assoc. and MasterCard International Inc., he said. Recent attacks have targeted customers of HSBC and Bank of America Corp. The company is also working with the FBI to investigate the incidents of identity theft, Sunbelt has said in the past. WinLdra can be difficult to detect, because new versions can be created quickly and by individuals with relatively little skill. The program is also small and easy to install. Click here to read more about how a Trojan virus program can build botnets that seize control of users computers. Once on a machine, WinLdra injects its own DLL into a process used by the Internet Explorer Web browser. That allows the program to mask its own communications as those of the Web browser, circumventing firewalls and other security programs, he said. Despite the sophistication of the program, the Trojan builder for WinLdra isnt the most sophisticated that Sites and the staff at Sunbelt have uncovered. Other programs for sale on the Internet through dedicated Web sites offer actual graphical user interfaces for building custom Trojans. The programs are evidence that information theft is becoming more sophisticated and streamlined, with credit card and social security numbers harvested from vulnerable computers, then offered for sale online, Sites said. "The data weve seen is very international. We have information from Poland, France, and Germany. This is so widespread, its unreal," he said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"Were finding about one or two variants of WinLdra a week," Sites said.