Researchers recently discovered the "builder" program on a Web site that was harvesting information from a variant of a Trojan horse program known as WinLdra.
The program provides an easy-to-use interface for creating new variants of WinLdra that can steal credit card numbers and online banking log-ins from machines on which it is installed, and can direct e-Gold payments into an account owned by the attacker.
The builder program makes it easy for even unsophisticated hackers to create a specialized Trojan horse program.
It may be responsible for a flood of WinLdra programs in recent months that have stolen information about thousands of customers of banks and financial institutions around the world, said Eric Sites, vice president of research and development at Sunbelt.
The program is not unique, but is evidence of a widespread and sophisticated online operation selling software that is tailor-made for identity theft, Sites said.
"This is a kit for building [Trojans]," Sites said. "Its user-driven. You can fill out a few check boxes; its branded and comes with a help file in Russian and English."
Until recently, the software for creating WinLdra Trojans was being sold from a Web site, www.ratsystems.org. That Web domain was first established in September, 2004, and is registered to an individual named "Dimitry Semenov" in Moscow. The Web page displayed an "under construction" message Thursday.
An extensive help file that was discovered with the Trojan builder provides instructions for creating a unique version of program and advertises its information-stealing features.
In the help file, the Trojan program is described as a "UK account grabber" that targets Web sessions by customers of banks like HSBC.com Inc., Barclays, Lloyds and NationWide Bank. It has features that intercept form data and sequences of symbols, such as special digits of a social security number, according to a copy of the help file provided to eWEEK.
Users are also given detailed instructions for deploying the Trojan program, including directions for modifying and uploading script and configuration files that will transmit stolen information back to a computer controlled by the attacker.
Other features in the builder allow the attacker to configure screen captures of the victims machine or run commands that turn the infected computer into a "bot" that can be controlled from afar.
One feature even allows the attacker to provide an account number for online payments company e-Gold Inc. If a user on the infected machine attempts to make a payment using that service, the Trojan will reroute the payment to the specified account, Sites said.
WinLdra is typically installed from malicious Web pages using exploits for holes in Microsoft Corp.s Internet Explorer Web browser, Sites said.
In one case, the program was even distributed from the Web site of a legitimate New Orleans-based company that sells fishing equipment, he said.
Once it is installed, the program immediately copies and transmits the contents of Windows Protected Storage, which contains saved user names and passwords that are used to access protected Web sites, as well as information stored on any Web forms the user has interacted with.
Often that action, alone, yields a treasure trove of information to the attacker, including credit card and social security numbers, Sites said.