Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Sunbelt Tracks DIY Trojan Builder Program

    By
    Paul F. Roberts
    -
    January 19, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Researchers at Sunbelt Software Inc. have uncovered a special program they said they believe is being used to create keylogging and Trojan horse programs that target customers of financial institutions in the United Kingdom, United States and Canada.

      Researchers recently discovered the “builder” program on a Web site that was harvesting information from a variant of a Trojan horse program known as WinLdra.

      The program provides an easy-to-use interface for creating new variants of WinLdra that can steal credit card numbers and online banking log-ins from machines on which it is installed, and can direct e-Gold payments into an account owned by the attacker.

      The builder program makes it easy for even unsophisticated hackers to create a specialized Trojan horse program.

      It may be responsible for a flood of WinLdra programs in recent months that have stolen information about thousands of customers of banks and financial institutions around the world, said Eric Sites, vice president of research and development at Sunbelt.

      The program is not unique, but is evidence of a widespread and sophisticated online operation selling software that is tailor-made for identity theft, Sites said.

      “This is a kit for building [Trojans],” Sites said. “Its user-driven. You can fill out a few check boxes; its branded and comes with a help file in Russian and English.”

      Until recently, the software for creating WinLdra Trojans was being sold from a Web site, www.ratsystems.org. That Web domain was first established in September, 2004, and is registered to an individual named “Dimitry Semenov” in Moscow. The Web page displayed an “under construction” message Thursday.

      An extensive help file that was discovered with the Trojan builder provides instructions for creating a unique version of program and advertises its information-stealing features.

      /zimages/1/28571.gifClick here to read about Sunbelts plans to release a free tool that detects a sophisticated keylogger threat.

      In the help file, the Trojan program is described as a “UK account grabber” that targets Web sessions by customers of banks like HSBC.com Inc., Barclays, Lloyds and NationWide Bank. It has features that intercept form data and sequences of symbols, such as special digits of a social security number, according to a copy of the help file provided to eWEEK.

      Users are also given detailed instructions for deploying the Trojan program, including directions for modifying and uploading script and configuration files that will transmit stolen information back to a computer controlled by the attacker.

      Other features in the builder allow the attacker to configure screen captures of the victims machine or run commands that turn the infected computer into a “bot” that can be controlled from afar.

      One feature even allows the attacker to provide an account number for online payments company e-Gold Inc. If a user on the infected machine attempts to make a payment using that service, the Trojan will reroute the payment to the specified account, Sites said.

      WinLdra is typically installed from malicious Web pages using exploits for holes in Microsoft Corp.s Internet Explorer Web browser, Sites said.

      /zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      In one case, the program was even distributed from the Web site of a legitimate New Orleans-based company that sells fishing equipment, he said.

      Once it is installed, the program immediately copies and transmits the contents of Windows Protected Storage, which contains saved user names and passwords that are used to access protected Web sites, as well as information stored on any Web forms the user has interacted with.

      Often that action, alone, yields a treasure trove of information to the attacker, including credit card and social security numbers, Sites said.

      Next Page: The hackers mistake.

      The Hackers Mistake

      Sunbelt researchers first discovered the WinLdra Trojan in August and traced its communications to uncover evidence of a massive identity theft ring.

      Since then, researchers at the Clearwater, Fla., company have uncovered many more variants of the Trojan, which is believed to have been around for more than two years.

      “Were finding about one or two variants of WinLdra a week,” Sites said.

      However, the point-and-click builder has also been a gift to investigators.

      Malicious hackers who follow the canned instructions to the letter often forget to secure their log files, allowing law enforcement and researchers to recover the data they have stolen and alert consumers, Sites said.

      Sunbelt has passed information about thousands of individuals whose information was stolen by the Trojans and stored on the Internet to banking officials and officials at Visa International Service Assoc. and MasterCard International Inc., he said.

      Recent attacks have targeted customers of HSBC and Bank of America Corp.

      The company is also working with the FBI to investigate the incidents of identity theft, Sunbelt has said in the past.

      WinLdra can be difficult to detect, because new versions can be created quickly and by individuals with relatively little skill. The program is also small and easy to install.

      /zimages/1/28571.gifClick here to read more about how a Trojan virus program can build botnets that seize control of users computers.

      Once on a machine, WinLdra injects its own DLL into a process used by the Internet Explorer Web browser. That allows the program to mask its own communications as those of the Web browser, circumventing firewalls and other security programs, he said.

      Despite the sophistication of the program, the Trojan builder for WinLdra isnt the most sophisticated that Sites and the staff at Sunbelt have uncovered.

      Other programs for sale on the Internet through dedicated Web sites offer actual graphical user interfaces for building custom Trojans.

      The programs are evidence that information theft is becoming more sophisticated and streamlined, with credit card and social security numbers harvested from vulnerable computers, then offered for sale online, Sites said.

      “The data weve seen is very international. We have information from Poland, France, and Germany. This is so widespread, its unreal,” he said.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Paul F. Roberts

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×