So, it turns out this thing isn't stopped by any software firewalls, nor anti-virus programs yet.
Quote:
The keylogger from hell.
Ok, we have the latest on this identity theft ring. And it’s pretty interesting.
Remember that all we found was the cache of data from the thieves — we didn’t have the actual keylogger that was responsible for it. We had a keylogger we had found that was similar and provided us some clues, but not this specific one that was reporting all this data back.
So we had to find the keylogger. That entailed trying to actually get a hold of a machine.
Last night, we finally got an infected machine and were able to figure out what’s going on.
Briefly:
– It’s footprint is extremely small — about 26k.
– It seems related to the CoolWebSearch gang, but that is still not certain.
– It is related to the Dumador/Nibu family of trojans. The keylogger executable is winldra.exe.
– It runs under Internet Explorer (IE), so it is generally undetectable by a software or hardware firewall. So much for my ranting about the need to run a software firewall.
– It turns off the Windows firewall.
– It steals data in the IE Protected Storage area.
– It steals data from the Windows clipboard
– As is normal with Dumador/Nibu variants, it steals logins and passwords from a number of programs: WebMoney, Far Manager and Total Commander; and modifies the host file to stop access to Trend Micro, Mcafee.com, Symantec.com, Etrust/Computer Associates, AVP, Kaspersky, F-secure, etc.
Since one thing it does is steal the IE Protected Storage Area, you can protect this data by turning off all the AutoComplete stuff in IE.
So far as we know, this keylogger is not detected by most of the major AV companies. We are coming out with a fix in the next several hours which will be available a) to customers running CounterSpy (or the free trial) and b) through a free application we will make available.
They are going to have a free fix available today, and you can download CounterSpy here,
http://www.ihatespyware.com/, as it has the protection in it now. They are also sharing the info with all security companies to get fixes out there ASAP.
Login
Register
FAQ
Search
