subject: ID theft spyware scam uncovered posted: Tue, 23 Aug 2005 11:00:09 +0100
[Nasty. The only defences that I can think of against something like
this are 1) Opera or Firefox; and 2) anomaly detection software such
as Tripwire or WAID. You might try analysing your outbound traffic
but you need a router which logs that info, and an analyser that can
detect anomalous traffic (presumably issuing an alert if the same IP
address is visited more than a certain amount of times, or something,
which wouldnt work so well if the malware used a network of servers.
You could also sniff your outbound traffic for your own personal
information, however this creates a vulnerability in the form of your
sniffer strings, which are all collected up ready for copying, and
won't work if the malware encrypts the data before sending it).
Other than Opera, Tripwire or equivalent is the best bet to avoid
this, now and in the future. - Stu]
ID theft spyware scam uncovered
By Mark Ward
Technology Correspondent, BBC News website
Thousands of computer users have been caught out by a huge ID theft
ring.
Security firm Sunbelt Software said it stumbled across a US-based
server storing megabytes of data stolen from compromised computers
while researching spyware infections.
The server held passwords for online accounts from 50 banks, Ebay and
Paypal logins, hundreds of credit card numbers and reams of personal
data.
The FBI has reportedly now started investigating the ring of ID
thieves.
Hidden data
The bug that has stolen all the data is thought to be a variant of a
family of trojans known as Dumaru or Nibu that exploit a
vulnerability in Microsoft's Internet Explorer browser.
The trojan, a malicious piece of code, automatically downloaded
itself on computers when people visited sites harbouring the program.
The hidden payload in this bug is a keylogger that grabs a copy of
everything a user types.
What made this bug so effective was its ability to grab text stored
on the clipboard and by Internet Explorer, said Eric Sites, vice
president of research and development at Sunbelt Software.
Microsoft's browser has a feature, called AutoComplete, that
automatically populates boxes on web forms where people typically
fill in names, addresses, e-mail addresses, credit card numbers and
other biographical details.
The feature is supposed to make filling in forms on websites less of
a chore. In this case, said Mr Sites, it helped the ID thieves get
hold of enormously valuable data.
Typically a keylogger produces a file containing an unbroken string
of characters, said Mr Sites.
"It's usually very hard to take that and do anything with it," he
told the BBC News website.
By contrast, AutoComplete data is already labelled and sorted because
the browser has to know where to put each item.
"The way the data is laid out, the quality of it, it's very easy to
go through and use it for nefarious purposes," he said. "This is
about getting money and stealing."
Megabytes of data
The BBC News website was shown the server and some of the files
containing personal data that it was storing. Each file was full of
login names, e-mail addresses, credit card details and everything
needed to steal someone's identity or simply empty their bank
account.
Analysis of information in the files revealed login details for
online services at 50 banks as well as user details for many Ebay and
Paypal accounts. One bank account had more than $380,000 in it.
Sunbelt has contacted some of the people identified in the files to
warn them that they have fallen victim to the bug. Banks, credit card
firms, Ebay and Paypal have been told about compromised accounts.
The server at the centre of the ID theft ring had many multi-megabyte
sized files on it, said Mr Sites. The server, which was based in the
US, was regularly cleaned out by the thieves who created the trojan.
Infected machines sent files back hourly or when the logs of data
they were collecting had reached a certain size.
Browser danger
Mr Sites said that, so far, the trojan had been found on porn sites
and websites offering cracks for pirated software. But, he said, the
trojan was likely to be on many other websites as it had managed to
infect so many users.
Sunbelt believes the trojan has been circulating for about three
weeks and in that time has probably infected thousands of victims.
The vulnerability it exploits means that all a user has to do to fall
victim is to visit the wrong site.
"Type in a web link and your machine is infected," said Mr Sites.
"You do not have to click on anything, the website forces the
installation."
Many victims may have no idea that they have been infected.
"This version of the trojan was very successful," he said. "It was
very small, hard to detect, the file had a very innocuous name and
did not cause any problems to the machine.
The size and sophistication of the ID theft ring led anti-virus and
security companies to quickly produce tools that can spot if a
machine has been compromised by the server and clean up infected
machines.
The trojan was tricky to spot because the files being sent back to
the server were disguised as data traffic generated by a user's
browser.
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:03:42
search: