Sunbelt Adds Detection for ID Theft Keylogger

Anti-spyware vendor Sunbelt plans to release a free tool to zap a sophisticated keystroke logger being used by an organized ring of identity thieves.

The spyware keylogger, named Srv.SSA-KeyLogger, was being used to hijack confidential data from millions of infected computers and send the information back to a remote server controlled by an identity theft ring.

As previously reported, researchers at Sunbelt Software Inc. made the discovery during an audit of “CoolWebSearch,” a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.

According to Sunbelt president Alex Eckelberry, the keylogger is a small program related to the Dumador/Nibu family of Trojans.

He said the executable runs under the cover of Microsoft Corp.s Internet Explorer browser, making it difficult to detect by software of hardware firewalls.

The keystroke logger has been programmed to shut down the firewall that ships with Windows XP and steal data from the IE “Protected Storage Area.”

The program also hijacks data from the Windows clipboard and uploads all the stolen data to a remote Web server controlled by an unknown ring of identity thieves.

/zimages/1/28571.gifRead more here about Sunbelts discovery of the identity theft ring.

Ziff Davis Internet News has confirmed that the data being sent to the Web server included chat sessions, user names, passwords, bank account information, full names, addresses, eBay and PayPal account information.

The logs being sent to the server also include logins and passwords from a number of software programs, including WebMoney, Far Manager and Total Commander.

According to Eckelberry, the keylogger also modifies the host file to block the infected machine from accessing anti-virus programs.

Because the keylogger is programmed to hijack data from the IE “Protected Storage Area,” Eckelberry recommends that IE users turn off the browsers “AutoComplete” feature.

That can be done by unchecking the pre-checked boxes via Tools > Internet Options > Content.

According to Eckelberry, the data stored in that IE feature is very lucrative for identity thieves.

The browsers AutoComplete tool is used to store all data entered on HTML forms when purchasing products over the internet or filling out personal information like addresses, phone numbers, and Social Security numbers.

It also has a feature that stores usernames and passwords for Web sites that require you to login.

One example of this is online banking Web sites that include Web-based mail servers like Hotmail or Gmail, he explained.

/zimages/1/28571.gifRead more here about the many faces of spyware.

Eckelberry said Sunbelt will share the technical details on the keystroke logger with the entire anti-virus industry to ensure that detections are added for users.

Sunbelt has already updated its CounterSpy and CounterSpy Enterprise anti-spyware databases and plans to post the free detection tool to the Sunbelt home page on Thursday.

Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the “CoolWebSearch” application.

The Trend Micro tool is available for the Microsoft Windows XP, Windows 2000, Windows Millennium Edition and Windows 98 operating systems. However, it will not detect the Srv.SSA-KeyLogger executable.

Protection Recommendations:

Sunbelt has published a list of basic security recommendations for users and administrators to help thwart identity thieves. They include:

• Train employees on the dangers of opening attachments they are not expecting. Also, do not install software that is downloaded from the Internet unless it is scanned for viruses. Even visiting an infected Web site can compromise a computer if certain browser vulnerabilities have not been patched.

• Isolate infected computers quickly to prevent further infection throughout your organization.

• Use complex passwords to make it difficult to access key information on compromised computers. Turn off and remove unnecessary services. Many operating systems install auxiliary services that are not critical, such as an FTP server, Telnet and a Web server. These services open avenues through which malware can attack.

• Configure your e-mail server to block or remove e-mail that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

• If malware infects any network services, disable or block access to those services until you can apply a patch. Always keep your systems up-to-date with the necessary patches and security updates, especially on computers that host public services and can be accessed through a firewall, such as HTTP, FTP, mail and DNS services.

• Perform a detailed analysis and only use trusted media to restore previously infected computers.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.