|
|
|
Trojan Hidden on Job Search Sites Steals Personal Data
By: Brian Prince
2007-08-17
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
SecureWorks uncovers a cache of records that were stolen from 46,000 victims on a single server used by attackers.SecureWorks researchers have uncovered a cache of stolen data from 46,000 victims of a variant of the Prg Trojan that has been used to swipe personal information from unsuspecting visitors to job sites.
Experts at the Atlanta-based security company said the information includes bank and credit card account numbers, social security numbers and passwords. The victims were infected—and in numerous cases re-infected—by ads on popular, online job sites, including Monster.com during the past three months.
The hackers behind the attack are running ads on the sites and injecting those ads with the Trojan. When an user views or clicks on one of the malicious ads, their PC is infected and all the information entered into their browser, such as financial information entered before it reaches SSL protected sites, is captured and sent off to the hackers server, according to SecureWorks researcher Don Jackson.
 To read about how a Superbowl Web site was hacked using a Trojan, click here.
The data cache is run by an organization called the "car group," Jackson said, which is believed to be running a total of 12 servers involved in the attacks. The Car Group got its name because they use car names such as Ford and Mercedes in their attacks. In addition, eight other servers around the world are collecting and storing data stolen by the Trojan.
"What this is an indicator, though, of is [that] this is one of…the top…two Trojans in the world as far as distribution right now, as far as the total number of data caches found by SecureWorks and other organizations that track these things," Jackson said.
Anti-virus vendors say they are writing file-based signatures to address the Trojan, which it is easily able to evade by changing a couple bytes of code.
"This Trojan uses its own packer…it compresses and changes the code around," he said. "This packer is unique to this Trojan. It was written specifically for it, and the construction kit that produces the executables is very, very good at putting instruction substitutions, giving a long string of instructions for a simple task and putting garbage code or null operations in there, so that it is hard for anti-virus. Anti-virus has not been able to pick a stub…that they can identify reliably from file to file."
Prg appears to be a variant of a Trojan known as wnspoem that was discovered by SecureScience and analyzed by Michael Ligh late last year.
According to Jackson, many people are getting re-infected five or six times because their computers are unpatched and they are unaware of what sites pose a danger. The ads are pointing to an exploit kit called Icepack, he added, which looks for various old vulnerabilities on PCs.
"Ive seen one guy get infected 100 times," he said. "It is not uncommon to see people with the same infection IDs."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
|
|
�������x}kw89�v2��zڎGX�XJ<=:� IlS${O/sOo*�|AKN�Ė�*T�
B;�?{{o~$rLȥkmJg9�{>�D{{}&GP`QP�/�2r}R �
�tӌ5q��:!�M���=�>;|�9|@D��%SjMaCkf��Fc_f�2ʼn5o2�f
�E1;'�}>Bm �~5{��6
�#%}:�K���E!�m$oqT}:�XQ=2rН3ݟX�BT!|DJ%h���1Qu�͟Q��{/�!�X]~�D4��ٮq�4]�b'*cO^3j��b㥨��aP`\�9t}�^�
Go&lw�&�"�ScO$ӡ%�NfI% 0��Q#@oڮ�SVHf̲;o� tG
ob}u�ק&[!
b�S�3Mu��N_FB?
¥0�
�?�GpA'�ס"�'�ml_k|�tns<"s~5
CoZeNDj%
?q7`JaC)Lj�Z�E>�7
ؗ#Y͢aF3l˸+:4
XS+C(ǥZz�+����1݇'�2+�;ѹ}KB(u��u7�ٺs��mm%k%�{z�sqF�5oy��vty//�YJM~c/DJ V,D���-ԁN�Y�_'5}(�ĭ~㖯[�ˇ%MюR?6,fϷ��3�+i3*,'ɠ-?[:WM!MsYf0Zi�C�A+Wt?c{ˠzq{־}^{}rֻ!·iѝF4pgs
ZʟZr�n`KvO|�?lrO��,���.i�TW�%32�uLCxE�$Y-r{&8�\^��C���j�ݖU�B_*D�ȟ�/Rzhf5
t�@C�X&%�2ɌS�Hu��t:���e9AcM'C6kiJu�V�!`FC�ܺo�N�49�(��蟩$�m�4�@r5�)6B̄H )'WR>�_�,-|y"�b�r�ݢHPs>Χ+foF">��23y�B(&�pHq�b��&�μbO�yx6zY[5'jtamEis_��ӲKwI�IwNzہ)WI�C��KEhYf7-wI��qM}{QU��1W*P\?.Ëʡ��b�(7ZdL��,��5,{Lt�ާl�A`�:�g1>QӚ�#qRO#Gs�>H2胎6mb8�-�"�
,70}Hw@zqI�47X�8|}Zc�O6�/|�\a���^��i$�>6(Z\?`�
V�Cf@B랂9����ޚA�"�Qޚґ4�a���q�j 8=�*~s��=w}
�
�
@�l�'k�6G~[>l0��s�ɣ�F\KQ�o�m�2)%%E2� E�EK�y3@� $h�-4O`��z.�,m�bo$?H�XVph�Tݞ�Hp'PT>Uh&3aGe�-n^�d6gF2+LYG0-&D7rb�.G E7Kᙖ6FlY.+ǚvXçc&tc˰` @�}= 3ܲM҂%�Ll;!i`2Ґ(e`9�ޟ�F��a]�:�<�f3�35{80�q}�`] �k�tӴ٦͙qj�S�;_Aa"tL�eB#`9N{S�^g[,:L:%qGnz]:0s>�k2�'�yv�=g�.Q1j�uϙO#kۖs�M�*� j�J=WsF���A|5��i!sL&Ze�on<�Gy�5&㓫(\=P=Д�f�kb*q��(>�u�P\O�ō4���BЊOW}��?ٲZbY6(U7v/KƠR9�_�R[k�ҁ
K
�rL����ZԵ1��D�4$"]
`}.�e�O�qHL�īl�-�m7D=t�=0_�ܰ탡�jrI))Ka�W4E%sXf&`ܱ�
&���P
���7S~8���[0P!k�^GgV�u<]|$}��r;C6�]?C�C��}QȺ Q(JЧVȥC � Mq��ά��hPS
bI�,(t=(U�F+wWay@٘*#܉�7�k�
Bo` 2l�3sG�/.fru݉M% y�ns�sQ*JW+�)R�;O�z^*k 5ǩUUR;.Z
7;z�&9̓�)V3G
q�'|}1Mo�ř1F�tQ9�[J?�C0t�.rɵ`s||uj���N8elCc�>eL�Fr�lxTa]CP,*Ͻ"ty�9~�ޖOmwn��;hi-u�Qjy.Am �/��5r/�6ߦI39旉)/hy2檦URd,4Ω,6�f�ĮiϺV&>�e>c'}R�c'o�:Z�$t'n=��UI?sԷлMk�l���ޣ�0��6@yzb#��jUa��v bȈCzf�zJ$ޅs?^i0�{T*JZ�ӳ�$*+@:e�rz�埍8iJ#�郦nRTS*.?JmTjjEI�z, :.i�7xџ1YD+(++i-Y2�}a�mD�9[�&�4w�ʨK�3[*X>DД4Ϩ���;�Rb�
h�
kGQh-BwEj�`�0W�44Nc�pDM�?ց�h)03bMٸU~J0iuI+KZ��̡�2a{��V�$ƾ�ܓG\\7h�oy!?"XWS�wg�us�̇)
R#Zִ2hw
ĶVU�%D.-��qC`
IZV�S�"YKrv�zJ5+dP�e�\x�O+�tS�N`+T�.n��_B'GWƒ"'!�M4�3,�`jRUܘ㏌&�}'>N
ПBQ`��о(&ю0pm�ɪO@T�#N��Ew%]w4O}ֻ�Hg#��i_+Kx�i/R���X{{{Ֆ�~61�%zˁNIM�$(��X�Mp_�,I�s^y�{{jWo��6zv9�D���2�DH#�r��z�emJ|wѻGE#{�;�z��܉Z�ݷWG, YG#�B^tZ7 ǧ�
�Ak;d4)(�3pX#�axK#fψ�!B*.v3��N/Ns>\zF_j,8Eψa6�F4ZGSkޚ8
V�`!�w1t|PVc� (ʱ�=`=����`
v}���.�@d�BAnp�kz!NU��He*e4Д+�e3:)K48xyQ$��rF��n1�~x�AZd}��eԉ9%2�\(���?m[ħ{�,�/䎱>�E=:dSN�M([viQ�-uьyjtJ9S"\�(6H P6,OҼe=lI1 iK"ih$bbVȆRo�ݺڞ6<5ޥ]ƙBƗH���Ζ�e��̗4.נ��E4��V�#["|�'�-&GX!*VZZFZvl*'?v��81
VAkv,x\J�}[<,'�Mw[�!�
Hbй!sP�+}Ƃ�y��}G��W+u�\�=eNd>HА[�=ty�8#�-[__͆ܓ9{_Jc Ǿz/ۻ7�}Zw[q*ApKG<-�L�?Gfc:�M"�IQU֫��UdU)IW}Y)G�G8��L�bo:`@L6#Oځ{W�-�3(��#F�___3{K#�NW+x>*A�O����44�
]ekwB%�J+{%nYZh�r;Tʒ%%դE,IQ�)"{�"F%�t`�5o�14�НLl*z>;�53�����'K�xzQ%Fc?YS+xϗt4/`8[&?�5#,Ӝe6R���]&?�
��pru_,�2p�'mkb:5Z�7s
E4�T+)a:Rr�p�&<~:/7
r`�n[�mCN|IbY�ߺ>驚ZU��>Rt�{DХ�"sàAܮޗ�MqѼí7(>?*m9߿H��uH^_�`�Y�u<؍�T>#^ʭ�0%8�n*�l��V:-7�&Yr�8��nD�~,LΚV�.`9P�4u&5a�8[ ��ps&IRemfL#ZS*ʇ}j>8*>�n�Z4=^ONg}6#&;>��;{�?=�j#N0%d��p�y%H�?a[HQ1T="LFyWI3wҵRˇ96��4@���w�I=,TM�)���y_|W$���"��#E8Ą(/w2#;+;��"w@}K��7_I*i9죽8A��mSj���t
�+5�=O����F#-ikA�ێx#."�,�08rrbe�YZNhy�f2�Pv��"ˁ
n�F��c�!ͬ!zㅈ�a�݉�h�-#_\u�3�:eH@DL�OH"ݺL�0s�i7ݲG{G��R\*���"�$1@�dH�|]��[ZO#Gi>imٰRl(+�9G:u}Oe�;&m��$0d�gacU00$�C���|=�\rYg'
4w}cKFy1%K�d6^_��en3KB$F\�q TQkRy"2���#3$�D�dy�jD؉�]jo%/=�`w
"�T773v:$v}<�XGx؋�_J�HG>g3|Q~A#^#u ��dw=e2ɡ/c)E j!�1-JI�H\��/@c�24wgKy1$�JqG~JԶ���7
̜��H,rVa(pD'�L���uY
-L
4`G7H'7�{ƛpin*5r�(膊K�ƤGu�`keE[�+>��º�"���8/~6�e9s�CwVhmYѧ}�unn>v'VU�g��a�_gˏ>Gos+
BtCB�Bn.@�E}u:;-�Ӷ4�wcFmt
qK;6;Wd9vjcc6�㵙v�mVx}�ŷi�s<`�W۲:pXm�Y��y0m-mĬә{OWn+eIX
-}-�wrhM~<��y{�Hj|ubC�4t86e�f3&e< m~�h�$�=��YE�98Z!O}@5��>f 3h
�ټR-|ׂ�«^_V�hR[�L@Ukr72О�"}a#(hELVÑBu}�ų�TQn�q��Dtmq�6�~>+*���C�r�я"s@9�
es�^7>k_A'-gW�YΞCm�.%��<{>���ͨ,$tGIz� iL!h?�I���PAgXt~D1urafSt]d�v�f0}�P�Cu&߮�[{%菩sT= ?
KL)PG%�_�B~f뇺���]�}
jqd�*F]{N9-(/�o*n?]F~_*R�^q/
�dP�b��N4�#zȮ�@�]o���xP]я TmS_^|��_D�`"�012~j*b�dF�yAx!�Fv�{p5^q'P>0&Ibb~4Gcu\_SS[7��Z�/�[#r�d! `,%7��vEa'`8(ĒI
qZHFpxIYL˃3^A=:�sf4�1%!��q>ƘKjtߦVS�`2d;VXuV%d˘x��VH=�Қ0&,�OE�*^0H>PS�a
M UH+4h 9^Hq5&@
�mN�hC��y<�Vz^3!KwX;�bG=�Vڹ«q�)y,y�-�JrU"cm#Z�~RQ�ߡoU\�+uMi
fOPVT99�O>F#�R8ΐ�K�\� ړn�̝G0Tr^`}{AZaP1,�6�K&b(%LtxZډ�RB�{?�~Gy��9 �����r3j w[
w=ke�#ĝ$gY�&CfW
P
@0K{EMV^@5X>lDGH0ډ�J
J�ݛ9�/2RmF�ν,ʀcD:��S�+�V8]g�lfmmEUk)ַ�g%.0,%n�S�肜X�p,P��\�D(>�#RV¯m��9�̪ f=0IU
�Tbtb
aZ*F6#Zi�x�� 5kL(:0C �c3p��SK�CR�<6$Ae�ȇ5T?�0{
)U?iueqj+�Y�!kj��ݙ;ҡN+qܑ.uf l�B+�Nn&�&`�Cq*r�t�'W%Z;Pk�ٓ48'o�G_
�6a^FGZq)MG)L >I�}11K=
o~{@\q
81q,�-E|E|z['Au}�>l1Chb#�����*HB0\'�;�^m3�tna�G�_s�2�P`#m�M}AG��uS=Y�!'vq]Q
s�<ĝ�[:*�\˘NU?�#7,>�-l�� \Z�p4c ZFU_9TJ�ƈ^尟aD9p=S�-0ȘhD
MQ HxLnr�}�tN�n�O�KZ�&�a� k(E6$+3�TmDRRiaJN<\�&"�cs6#|-�R̀
A��fb��WoH$P`��+wdc>b|�98k=_$R�2�vqU�@��y+��LL�͂zĂ![C6#&Tw�LкHz7En:�?^�+rҹ)(lkMߢֳQwIw{չ^
3�OnaQ慾��,Ǜ,#
rvպ0;eNq(g':�ͅfU�31Sjo:O֖C�||g'>;yIS:o�jS#��Z�uR���'M&7�b�S߹�HShF&5+ۺ�v)�r_rofsi�8Sރ^N9r`sy�h䔟B3Y�}B{([hw7wۅfS��3ݫr7~NG(�_ٮy3>e��2�>2@�\�9_�^%e�^�?䔟CyNߠo9P~S�{3W ?W9s�w3~=/=?��/�9q
_�s?}�?���P�(W�}�C�n6�6oۜons/=IR<��9k]T�$RhK
"�S^9,r�&{#sg+�i^W�Kͮ0TntKL썆cn-:AbCa �c|u$X2M&��#(���R^>Ȧc����˼=�>w�懴I��x]"&J2˯-cENz9.~QFxdR$dZ�+mF�D�tLQUb>|#N�.LeSzy
;«08��,_bٴdA`Rf0�:~ sn�w:aKƘS�DM�KIn�_!�]x@{W`{Kl>` �X)43Ǭ{SDxa�w���. ] }M�
�\TO��&E�VD��w��H]g샴s�#i�^zIcٕ�0�G*�̯=«L�i�j$G[�[�zhLS,ibErb9�Gu�ZCQ�8ۈq�ef~#d]Xv禄���{�P3xX:�20t�gG�|ם�HZ뺺�wfh/^�R�O^�!��M�QHx
�eLMb%$2^܊�~1Q>ಓJ_�b�&+3�>/Flv����Kz?��T|>ޚy�H�(t��&Iw`S�)1��|�j7;�1�Te]ZQYɶ��y
S�O~h�O(#o݊�珸66x�}�҂I�!L/Tvy*�*>�% ,�)�i%:Ɛ�=ۭ��S)0�p,\f�@G�6�CF|�gKo��[��3̾J��F ϱɮy*�3@WD0;"�����Yc�KE�&(Xp\'A6Ιَs;\�r"c�<[_Eڵ<�ok3���+~`[t-(�5x2{n�G�L�e�ӝ��!oҮ\)V�cʕ.S�ܟ?B͗a��҇fFHW�k^��zX�տ&gPs�h݆G��0ޏw�PV�|@��xS�a�
�Jv��E=b�\
�Ѩi�pKTUDn�n���s^koycE]E>*�Ѝ
�ϰ1igNb��c��b@x��=f_q�x�FN|L/�X�:}!}ő��YX&�7$�/OۋB�7Ѱ0�L{,luED%e��2JACa
�0F
���:h2
19.f@�xI1%h3l佈mAb�?�ڵ-caG?�,�ɀa�t>$;]r*箍A-F�12Mo,/`kV�"�K�{�'gEN�C��s�3��|ל �0um�r�?{���]9,M��c|R�c9�`=�`Z��]x�
O�0YdW�PэX�-f�1%Dv$8ґCCԞB*>e31#7Dn0Br;H
d[H_م�t�3�\j�9/�YH~1
���<9�9�.@OI"cXM1}a`�|@t&W�.r�W���|�N�|Mr1^��ʳ@:k]v/>�J�`�g~NT�vQ��Ke
|
Network Security & Hardware 
