Data-Stealing Trojan Disclosure Frustrates Researchers, Vendors, and Law Enforcement - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Data-Stealing Trojan Disclosure Frustrates Researchers, Vendors, and Law Enforcement

Can cybercrooks successfully attack at will, and are those who report the details of these attacks causing more harm than good?

There are two questions in the realm of IT security that simply won't go away: Can cybercrooks successfully attack at will, and are those who report the details of these attacks causing more harm than good? The revelation earlier this week by a security vendor and research firm that a Trojan-horse may have stolen sensitive information from hundreds of businesses and government entities has revived this heated debate.

U.K.-based security vendor Prevx says its software last week detected a program running on customers' computers that behaved suspiciously, creating an outbound HTTP connection to a Web site and sending information out of customers' IT environments. "These were classic behaviors of an information-stealing Trojan," Prevx CEO Mel Morris told InformationWeek.

Further study led Prevx researchers to a directory on a Web site identified as www.martin-golf.net/pajero, which was live up until Tuesday afternoon Eastern Time but has since been taken down. The directory offered a list of 494 different computers (identified by their IP addresses) that were running the mysterious program Prevx had found. The program encrypted sensitive information such as logins and passwords while leaving an online ransom note informing the victim that all of their private information for the last three months had been taken and that they needed to pay $300 to buy software from the cybercrook that could decrypt the info.

Morris noted that the martin-golf.net directory was just a front for the cyberscam and that site's owner likely had no knowledge their site was being misused in this way.

Prevx, having determined that this was the work of a Trojan that had infected computers at hundreds of businesses and government agencies, notified U.K. law enforcement as well as the FBI in the U.S., Morris said. The next step was to send copies of the malware to a number of other security vendors, whose products Morris claimed had failed to detect the Trojan, which was relatively unsophisticated in that it didn't use a rootkit or techniques for hiding itself.

Here's where the story gets a bit contentious and exemplifies the competitiveness in the security vendor market as well as the fine line that security researchers walk when they want to disclose their findings.

Morris said that he and his team on July 14 alerted the FBI to the presence of this Trojan and had a conference call with the agency the following day. Prevx told the agency that it had identified 494 computer systems that had encrypted and transmitted about 200 Mbytes worth of data, which Prevx had decrypted only to find logins, passwords, and other sensitive data. "The FBI said they would be moving forward with their investigation," he said. The FBI confirmed that they had been contacted by Prevx, but would provide no further details nor confirm whether the July 15 discussion took place.

Prevx has spoken freely about which companies it contacted to inform them that they'd been hit by the Trojan. Morris claimed that the Trojan was found inside IT systems belonging to American Airlines, Booz Allen Hamilton, and the State Department, although none of them would comment on Prevx's story. Morris characterized their reaction to Prevx as ranging from apathetic responses ("they're too busy") to indignant responses that questioned Prevx's credentials.

Likewise, Prevx claimed to have contacted several security vendors to alert them that their products had not caught the Trojan. One of the security vendors, Trend Micro, acknowledged that it was aware of the Trojan and that its products can now detect and protect customers against this Trojan.

Yet Trend Micro was "ethically taken aback" by what they see as Prevx's cavalier attitude to go public so quickly with their research, David Perry, global director of education told InformationWeek.

Trend Micro, however, is no stranger to controversy over security disclosure. In late September, 2006, the company, which had been studying software bots and promoting a service to detect such bots, reported finding bot infestations in numerous government agencies. Trend Micro's list included the Defense Department, the Navy Network Information Center, and the Pittsburgh Supercomputing Center. Several organizations on the list challenged Trend Micro's research.

While it's not clear how much damage the Trojan in question has caused or why its creators were asking for only $300 in ransom, it is obvious that the IT industry, its customers, and law enforcement still aren't on the same page when it comes to finding, reporting, and fixing security threats.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll