Identity-Theft Keylogger Identified - InformationWeek
01:25 PM
Connect Directly

Identity-Theft Keylogger Identified

Sunbelt Software has identified the keylogging spyware that is feeding sensitive personal information to an identity-theft ring. The FBI confirms it has been in contact with Sunbelt and is looking into the company's findings.

Sunbelt Software Inc. says it has identified the keylogging spyware that is feeding sensitive personal information to the "massive identity-theft ring" identified by company researchers last week.

According to the Florida-based security software company, the keylogger is named Srv.SSA-KeyLogger. It's a variant of a family of Trojans sometimes known as W32/Dumaru. Trojan progams by definition do not spread. Users typically download them onto their PCs without realizing it, or they acquire them through other malware.

According to Phil Owens, product manager at Sunbelt Software, the keylogger is known to be present in adware downloads offered at certain porn and hacking sites. He says that users of unpatched Windows systems prior to Windows XP SP2 can have their PCs infected simply by visiting one of these sites. In other instances, a confirmation dialogue box may be the only warning that a dangerous download is about to take place.

This particular malware, the company warns, steals data from user's Internet sessions, including logins and passwords from online banking sessions and E-commerce sites, and from Internet Explorer's Protected Storage Area, which can contain personal information for use with the browser's Web form AutoComplete function. Specifically, it captures browser window titles and keystrokes when it detects words associated with financial interactions -- including "bank," "casino," "eBay," "login," and "PayPal," to name a few.

Because it runs under Internet Explorer, company president Alex Eckelberry notes in his blog, the keylogger "is generally undetectable by a software or hardware firewall." It also turns off the Windows firewall.

What's more, the keylogger blocks access to the Web sites of many anti-virus security companies by altering the hosts file on infected machines. Sunbelt Software, ironically, isn't among the companies listed.

Once the program has captured enough data, it sends the information in a text file to a remote server where the information is presumably harvested by criminals. This server, Sunbelt claims, is located in the U.S. but registered to an offshore entity. As of Thursday morning PST, the server was still active.

A spokeswoman for the FBI's Dallas field office confirms that the FBI has been in contact with Sunbelt and is looking into the company's findings. She adds that the agency has noted an increase in cybercrime and is allocating its resources appropriately. She says cybercrime is the agency's number three priority, behind counter-terrorism and foreign counterintelligence.

In his blog, Eckelberry expresses his dismay about the potential impact of this keylogger. "In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money," he wrote last Saturday. "One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open-heart surgery, and they had very little money. Everything personal was recorded in the keylogger -- Social Security numbers, their credit card, DOBs, login and password info for their bank and credit-card companies, etc. We were able to warn them in time before they were seriously hurt."

A spokeswoman for Sunbelt Software says the family does not wish to comment on its experience.

Sunbelt says it has updated its CounterSpy anti-spyware program to block the keylogger and expects to have an update for CounterSpy Enterprise shortly. It also has notified other major security companies so they can do the same. Sometime today, it plans to offer a free detection and removal tool on its Web site for those who aren't already customers.

It's not clear whether, as initially believed, the keylogger is related to a family of Trojan programs known as CoolWebSearch. Variants of this Trojan redirect users to, owned by a company in Russia, and affiliated sites. "It was discovered during a CoolWebSearch infestation, but it actually is its own sophisticated criminal little Trojan that's independent of CWS," Eckelberry wrote in his blog on Monday. On Wednesday, he wrote, "It seems related to the CoolWebSearch gang, but that is still not certain."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll