News
News
8/11/2005
01:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Identity-Theft Keylogger Identified

Sunbelt Software has identified the keylogging spyware that is feeding sensitive personal information to an identity-theft ring. The FBI confirms it has been in contact with Sunbelt and is looking into the company's findings.

Sunbelt Software Inc. says it has identified the keylogging spyware that is feeding sensitive personal information to the "massive identity-theft ring" identified by company researchers last week.

According to the Florida-based security software company, the keylogger is named Srv.SSA-KeyLogger. It's a variant of a family of Trojans sometimes known as W32/Dumaru. Trojan progams by definition do not spread. Users typically download them onto their PCs without realizing it, or they acquire them through other malware.

According to Phil Owens, product manager at Sunbelt Software, the keylogger is known to be present in adware downloads offered at certain porn and hacking sites. He says that users of unpatched Windows systems prior to Windows XP SP2 can have their PCs infected simply by visiting one of these sites. In other instances, a confirmation dialogue box may be the only warning that a dangerous download is about to take place.

This particular malware, the company warns, steals data from user's Internet sessions, including logins and passwords from online banking sessions and E-commerce sites, and from Internet Explorer's Protected Storage Area, which can contain personal information for use with the browser's Web form AutoComplete function. Specifically, it captures browser window titles and keystrokes when it detects words associated with financial interactions -- including "bank," "casino," "eBay," "login," and "PayPal," to name a few.

Because it runs under Internet Explorer, company president Alex Eckelberry notes in his blog, the keylogger "is generally undetectable by a software or hardware firewall." It also turns off the Windows firewall.

What's more, the keylogger blocks access to the Web sites of many anti-virus security companies by altering the hosts file on infected machines. Sunbelt Software, ironically, isn't among the companies listed.

Once the program has captured enough data, it sends the information in a text file to a remote server where the information is presumably harvested by criminals. This server, Sunbelt claims, is located in the U.S. but registered to an offshore entity. As of Thursday morning PST, the server was still active.

A spokeswoman for the FBI's Dallas field office confirms that the FBI has been in contact with Sunbelt and is looking into the company's findings. She adds that the agency has noted an increase in cybercrime and is allocating its resources appropriately. She says cybercrime is the agency's number three priority, behind counter-terrorism and foreign counterintelligence.

In his blog, Eckelberry expresses his dismay about the potential impact of this keylogger. "In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money," he wrote last Saturday. "One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open-heart surgery, and they had very little money. Everything personal was recorded in the keylogger -- Social Security numbers, their credit card, DOBs, login and password info for their bank and credit-card companies, etc. We were able to warn them in time before they were seriously hurt."

A spokeswoman for Sunbelt Software says the family does not wish to comment on its experience.

Sunbelt says it has updated its CounterSpy anti-spyware program to block the keylogger and expects to have an update for CounterSpy Enterprise shortly. It also has notified other major security companies so they can do the same. Sometime today, it plans to offer a free detection and removal tool on its Web site for those who aren't already customers.

It's not clear whether, as initially believed, the keylogger is related to a family of Trojan programs known as CoolWebSearch. Variants of this Trojan redirect users to coolwebsearch.com, owned by a company in Russia, and affiliated sites. "It was discovered during a CoolWebSearch infestation, but it actually is its own sophisticated criminal little Trojan that's independent of CWS," Eckelberry wrote in his blog on Monday. On Wednesday, he wrote, "It seems related to the CoolWebSearch gang, but that is still not certain."

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.