Sunbelt Adds Detection for ID Theft Keylogger
Anti-spyware vendor Sunbelt plans to release a free tool to zap a sophisticated keystroke logger being used by an organized ring of identity thieves.
The spyware keylogger, named Srv.SSA-KeyLogger, was being used to hijack confidential data from millions of infected computers and send the information back to a remote server controlled by an identity theft ring.
As previously reported, researchers at Sunbelt Software Inc. made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.
According to Sunbelt president Alex Eckelberry, the keylogger is a small program related to the Dumador/Nibu family of Trojans.
He said the executable runs under the cover of Microsoft Corp.s Internet Explorer browser, making it difficult to detect by software of hardware firewalls.
The keystroke logger has been programmed to shut down the firewall that ships with Windows XP and steal data from the IE "Protected Storage Area."
The program also hijacks data from the Windows clipboard and uploads all the stolen data to a remote Web server controlled by an unknown ring of identity thieves.
Ziff Davis Internet News has confirmed that the data being sent to the Web server included chat sessions, user names, passwords, bank account information, full names, addresses, eBay and PayPal account information.
The logs being sent to the server also include logins and passwords from a number of software programs, including WebMoney, Far Manager and Total Commander.
According to Eckelberry, the keylogger also modifies the host file to block the infected machine from accessing anti-virus programs.
Because the keylogger is programmed to hijack data from the IE "Protected Storage Area," Eckelberry recommends that IE users turn off the browsers "AutoComplete" feature.
That can be done by unchecking the pre-checked boxes via Tools > Internet Options > Content.
According to Eckelberry, the data stored in that IE feature is very lucrative for identity thieves.
The browsers AutoComplete tool is used to store all data entered on HTML forms when purchasing products over the internet or filling out personal information like addresses, phone numbers, and Social Security numbers.
It also has a feature that stores usernames and passwords for Web sites that require you to login.
One example of this is online banking Web sites that include Web-based mail servers like Hotmail or Gmail, he explained.
Eckelberry said Sunbelt will share the technical details on the keystroke logger with the entire anti-virus industry to ensure that detections are added for users.
Sunbelt has already updated its CounterSpy and CounterSpy Enterprise anti-spyware databases and plans to post the free detection tool to the Sunbelt home page on Thursday.
Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the "CoolWebSearch" application.
The Trend Micro tool is available for the Microsoft Windows XP, Windows 2000, Windows Millennium Edition and Windows 98 operating systems. However, it will not detect the Srv.SSA-KeyLogger executable.
Sunbelt has published a list of basic security recommendations for users and administrators to help thwart identity thieves. They include:
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.