Researchers at Sunbelt Software Inc. have uncovered a special program they said they believe is being used to create keylogging and Trojan horse programs that target customers of financial institutions in the United Kingdom, United States and Canada.
Researchers recently discovered the “builder” program on a Web site that was harvesting information from a variant of a Trojan horse program known as WinLdra.
The program provides an easy-to-use interface for creating new variants of WinLdra that can steal credit card numbers and online banking log-ins from machines on which it is installed, and can direct e-Gold payments into an account owned by the attacker.
The builder program makes it easy for even unsophisticated hackers to create a specialized Trojan horse program.
It may be responsible for a flood of WinLdra programs in recent months that have stolen information about thousands of customers of banks and financial institutions around the world, said Eric Sites, vice president of research and development at Sunbelt.
The program is not unique, but is evidence of a widespread and sophisticated online operation selling software that is tailor-made for identity theft, Sites said.
“This is a kit for building [Trojans],” Sites said. “Its user-driven. You can fill out a few check boxes; its branded and comes with a help file in Russian and English.”
Until recently, the software for creating WinLdra Trojans was being sold from a Web site, www.ratsystems.org. That Web domain was first established in September, 2004, and is registered to an individual named “Dimitry Semenov” in Moscow. The Web page displayed an “under construction” message Thursday.
An extensive help file that was discovered with the Trojan builder provides instructions for creating a unique version of program and advertises its information-stealing features.
In the help file, the Trojan program is described as a “UK account grabber” that targets Web sessions by customers of banks like HSBC.com Inc., Barclays, Lloyds and NationWide Bank. It has features that intercept form data and sequences of symbols, such as special digits of a social security number, according to a copy of the help file provided to eWEEK.
Users are also given detailed instructions for deploying the Trojan program, including directions for modifying and uploading script and configuration files that will transmit stolen information back to a computer controlled by the attacker.
Other features in the builder allow the attacker to configure screen captures of the victims machine or run commands that turn the infected computer into a “bot” that can be controlled from afar.
One feature even allows the attacker to provide an account number for online payments company e-Gold Inc. If a user on the infected machine attempts to make a payment using that service, the Trojan will reroute the payment to the specified account, Sites said.
WinLdra is typically installed from malicious Web pages using exploits for holes in Microsoft Corp.s Internet Explorer Web browser, Sites said.
In one case, the program was even distributed from the Web site of a legitimate New Orleans-based company that sells fishing equipment, he said.
Once it is installed, the program immediately copies and transmits the contents of Windows Protected Storage, which contains saved user names and passwords that are used to access protected Web sites, as well as information stored on any Web forms the user has interacted with.
Often that action, alone, yields a treasure trove of information to the attacker, including credit card and social security numbers, Sites said.
Next Page: The hackers mistake.
The Hackers Mistake
Sunbelt researchers first discovered the WinLdra Trojan in August and traced its communications to uncover evidence of a massive identity theft ring.
Since then, researchers at the Clearwater, Fla., company have uncovered many more variants of the Trojan, which is believed to have been around for more than two years.
“Were finding about one or two variants of WinLdra a week,” Sites said.
However, the point-and-click builder has also been a gift to investigators.
Malicious hackers who follow the canned instructions to the letter often forget to secure their log files, allowing law enforcement and researchers to recover the data they have stolen and alert consumers, Sites said.
Sunbelt has passed information about thousands of individuals whose information was stolen by the Trojans and stored on the Internet to banking officials and officials at Visa International Service Assoc. and MasterCard International Inc., he said.
Recent attacks have targeted customers of HSBC and Bank of America Corp.
The company is also working with the FBI to investigate the incidents of identity theft, Sunbelt has said in the past.
WinLdra can be difficult to detect, because new versions can be created quickly and by individuals with relatively little skill. The program is also small and easy to install.
Once on a machine, WinLdra injects its own DLL into a process used by the Internet Explorer Web browser. That allows the program to mask its own communications as those of the Web browser, circumventing firewalls and other security programs, he said.
Despite the sophistication of the program, the Trojan builder for WinLdra isnt the most sophisticated that Sites and the staff at Sunbelt have uncovered.
Other programs for sale on the Internet through dedicated Web sites offer actual graphical user interfaces for building custom Trojans.
The programs are evidence that information theft is becoming more sophisticated and streamlined, with credit card and social security numbers harvested from vulnerable computers, then offered for sale online, Sites said.
“The data weve seen is very international. We have information from Poland, France, and Germany. This is so widespread, its unreal,” he said.