Avian Gamers Network :: View topic - Serious spyware/identity theft info

The keylogger from hell.

Ok, we have the latest on this identity theft ring. And it’s pretty interesting.

Remember that all we found was the cache of data from the thieves — we didn’t have the actual keylogger that was responsible for it. We had a keylogger we had found that was similar and provided us some clues, but not this specific one that was reporting all this data back.

So we had to find the keylogger. That entailed trying to actually get a hold of a machine.

Last night, we finally got an infected machine and were able to figure out what’s going on.

Briefly:

– It’s footprint is extremely small — about 26k.

– It seems related to the CoolWebSearch gang, but that is still not certain.

– It is related to the Dumador/Nibu family of trojans. The keylogger executable is winldra.exe.

– It runs under Internet Explorer (IE), so it is generally undetectable by a software or hardware firewall. So much for my ranting about the need to run a software firewall.

– It turns off the Windows firewall.

– It steals data in the IE Protected Storage area.

– It steals data from the Windows clipboard

– As is normal with Dumador/Nibu variants, it steals logins and passwords from a number of programs: WebMoney, Far Manager and Total Commander; and modifies the host file to stop access to Trend Micro, Mcafee.com, Symantec.com, Etrust/Computer Associates, AVP, Kaspersky, F-secure, etc.

Since one thing it does is steal the IE Protected Storage Area, you can protect this data by turning off all the AutoComplete stuff in IE.

So far as we know, this keylogger is not detected by most of the major AV companies. We are coming out with a fix in the next several hours which will be available a) to customers running CounterSpy (or the free trial) and b) through a free application we will make available.

Author:	Cetera [ Mon Aug 08, 2005 8:56 am ]
Post subject:	Serious spyware/identity theft info
http://sunbeltblog.blogspot.com/ http://netrn.net/spywareblog/archives/2 ... iscovered/ http://www.computerworld.com/securityto ... 37,00.html http://informationweek.com/story/showAr ... =167600273

Author:	Angelus [ Mon Aug 08, 2005 10:30 am ]
Post subject:
Scary stuff indeed.

Author:	Cetera [ Thu Aug 11, 2005 7:59 am ]
Post subject:
So, it turns out this thing isn't stopped by any software firewalls, nor anti-virus programs yet. Quote: The keylogger from hell. Ok, we have the latest on this identity theft ring. And it’s pretty interesting. Remember that all we found was the cache of data from the thieves — we didn’t have the actual keylogger that was responsible for it. We had a keylogger we had found that was similar and provided us some clues, but not this specific one that was reporting all this data back. So we had to find the keylogger. That entailed trying to actually get a hold of a machine. Last night, we finally got an infected machine and were able to figure out what’s going on. Briefly: – It’s footprint is extremely small — about 26k. – It seems related to the CoolWebSearch gang, but that is still not certain. – It is related to the Dumador/Nibu family of trojans. The keylogger executable is winldra.exe. – It runs under Internet Explorer (IE), so it is generally undetectable by a software or hardware firewall. So much for my ranting about the need to run a software firewall. – It turns off the Windows firewall. – It steals data in the IE Protected Storage area. – It steals data from the Windows clipboard – As is normal with Dumador/Nibu variants, it steals logins and passwords from a number of programs: WebMoney, Far Manager and Total Commander; and modifies the host file to stop access to Trend Micro, Mcafee.com, Symantec.com, Etrust/Computer Associates, AVP, Kaspersky, F-secure, etc. Since one thing it does is steal the IE Protected Storage Area, you can protect this data by turning off all the AutoComplete stuff in IE. So far as we know, this keylogger is not detected by most of the major AV companies. We are coming out with a fix in the next several hours which will be available a) to customers running CounterSpy (or the free trial) and b) through a free application we will make available. They are going to have a free fix available today, and you can download CounterSpy here, http://www.ihatespyware.com/, as it has the protection in it now. They are also sharing the info with all security companies to get fixes out there ASAP.

Author:	Cetera [ Thu Aug 11, 2005 8:10 am ]
Post subject:
Yay. Quote: And now for the BAD news ... a brand NEW set of files has just been released, and once AGAIN the file scan will no longer match the new variants. As far as BOClean, once again it's STILL based on that "15" version and will be detected as a variant of that as well as its keylogger. So here we go again. Just flung an update out upon discovery, there will be intradailies later on the plain old hijack stuff we've collected tonight, didn't want to hold up the update once we saw what we'd found ...

Author:	Rocklar [ Thu Aug 11, 2005 10:57 am ]
Post subject:
How about hardware firewalls? I'm in a rush and don't have time to read the whole bit on this right now but thought I throw out the fact that I have a hardware firewall built into my Linksys router. Think that'll do the trick?

Avian Gamers Network http://www.avian-gamers.net/forums/

Serious spyware/identity theft info http://www.avian-gamers.net/forums/viewtopic.php?f=1&t=15227	Page 1 of 1

Author:	Cetera [ Thu Aug 11, 2005 11:33 am ]
Post subject:
Supposedly the thing is masked by IE, and if your hardware router doesn't block IE, then no, it won't do the trick. Of course, it may still stop it if it only lets IE out on very selected ports that the keylogger doesn't use. Apparently FireFox isn't affected yet, so that is a big plus. It sounds like they've got this one figured out, and so the new version of it should be just a matter of determining how it was packaged so that the software will recognize it and be able to kill it without it regenerating itself.

Page 1 of 1	All times are UTC - 5 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/