A large identity theft ring uncovered by an anti-spyware researcher has security experts warning companies about the threat posed by a new generation of Trojan horse programs that mine information stored on Windows systems.
The FBI and the Secret Service are both investigating the ring, which was discovered by a researcher at Sunbelt Software Inc., an anti-spyware software vendor, earlier this month. Machines belonging to thousands of individuals and companies are believed to have been compromised in the scam, which uses Trojan horse programs to grab information stored on Windows systems and transmit it to servers controlled by the identity thieves, said Eric Sites, vice president of research and development at Sunbelt.
The theft ring was discovered after a researcher stumbled onto it while researching Cool Web Search, a virulent form of spyware, said Sites. The researcher, Patrick Jordan, is an expert on Cool Web Search and was studying malicious programs that were downloaded from a pornographic Web site that is known to distribute the Cool Web Search spyware, Sites said.
Jordan noticed a new Trojan horse program that was being distributed from the site and communicating to a remote server in the United States. After locating and exploring that server, Jordan found text files with information on thousands of victims, including bank account information for several companies, according to information posted online by Alex Eckelberry, president of Sunbelt.
The machines were probably compromised in so-called drive-by downloads from the malicious Web sites. Attackers used known vulnerabilities in Microsoft Corp.s Internet Explorer Web browser, or other programs, to silently install the Trojan horse and other programs, including a tool that turned compromised machines into spam distribution hubs, Sites said.
At least two new variants of a Trojan horse program are known to be used in the identity theft scam, although Sunbelt declined to identify the programs or the site from which the Trojan horse program was distributed, citing the ongoing investigation.
Most of the stolen data was stored on compromised systems using features such as Protected Storage, a standard Windows feature that secures personal data such as user names and passwords, network shares, and data entered into secure Web site forms. The Trojan horse programs used in the attack were programmed to grab data from Protected Storage and to search for sensitive information, such as bank account or credit card information, and then report it to the attackers, Sites said.
The data was being updated continuously by similar programs running on thousands of compromised machines worldwide and then periodically downloaded by the identity thieves.
Nick Phelps of Tampa, Fla., was one victim of the scam.
Phelps, a computer forensics researcher, said that a computer at his place of employment was compromised in the scam, divulging data from Web surfing sessions that had been saved by Internet Explorer.
Phelps doesnt know how the machine was infected; he said, though, that it was being used for research and did not have the latest software patches.
“We see a ton of this kind of stuff. I was just surprised that they stumbled on [the data] in so public a place,” Phelps said.