Identity-Theft Keylogger Identified

Sunbelt Software has identified the keylogging spyware that is feeding sensitive personal information to an identity-theft ring. The FBI confirms it has been in contact with Sunbelt and is looking into the company's findings.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 11, 2005

3 Min Read

Sunbelt Software Inc. says it has identified the keylogging spyware that is feeding sensitive personal information to the "massive identity-theft ring" identified by company researchers last week.

According to the Florida-based security software company, the keylogger is named Srv.SSA-KeyLogger. It's a variant of a family of Trojans sometimes known as W32/Dumaru. Trojan progams by definition do not spread. Users typically download them onto their PCs without realizing it, or they acquire them through other malware.

According to Phil Owens, product manager at Sunbelt Software, the keylogger is known to be present in adware downloads offered at certain porn and hacking sites. He says that users of unpatched Windows systems prior to Windows XP SP2 can have their PCs infected simply by visiting one of these sites. In other instances, a confirmation dialogue box may be the only warning that a dangerous download is about to take place.

This particular malware, the company warns, steals data from user's Internet sessions, including logins and passwords from online banking sessions and E-commerce sites, and from Internet Explorer's Protected Storage Area, which can contain personal information for use with the browser's Web form AutoComplete function. Specifically, it captures browser window titles and keystrokes when it detects words associated with financial interactions -- including "bank," "casino," "eBay," "login," and "PayPal," to name a few.

Because it runs under Internet Explorer, company president Alex Eckelberry notes in his blog, the keylogger "is generally undetectable by a software or hardware firewall." It also turns off the Windows firewall.

What's more, the keylogger blocks access to the Web sites of many anti-virus security companies by altering the hosts file on infected machines. Sunbelt Software, ironically, isn't among the companies listed.

Once the program has captured enough data, it sends the information in a text file to a remote server where the information is presumably harvested by criminals. This server, Sunbelt claims, is located in the U.S. but registered to an offshore entity. As of Thursday morning PST, the server was still active.

A spokeswoman for the FBI's Dallas field office confirms that the FBI has been in contact with Sunbelt and is looking into the company's findings. She adds that the agency has noted an increase in cybercrime and is allocating its resources appropriately. She says cybercrime is the agency's number three priority, behind counter-terrorism and foreign counterintelligence.

In his blog, Eckelberry expresses his dismay about the potential impact of this keylogger. "In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money," he wrote last Saturday. "One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open-heart surgery, and they had very little money. Everything personal was recorded in the keylogger -- Social Security numbers, their credit card, DOBs, login and password info for their bank and credit-card companies, etc. We were able to warn them in time before they were seriously hurt."

A spokeswoman for Sunbelt Software says the family does not wish to comment on its experience.

Sunbelt says it has updated its CounterSpy anti-spyware program to block the keylogger and expects to have an update for CounterSpy Enterprise shortly. It also has notified other major security companies so they can do the same. Sometime today, it plans to offer a free detection and removal tool on its Web site for those who aren't already customers.

It's not clear whether, as initially believed, the keylogger is related to a family of Trojan programs known as CoolWebSearch. Variants of this Trojan redirect users to, owned by a company in Russia, and affiliated sites. "It was discovered during a CoolWebSearch infestation, but it actually is its own sophisticated criminal little Trojan that's independent of CWS," Eckelberry wrote in his blog on Monday. On Wednesday, he wrote, "It seems related to the CoolWebSearch gang, but that is still not certain."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights