The spyware keylogger, named Srv.SSA-KeyLogger, was being used to hijack confidential data from millions of infected computers
and send the information back to a remote server controlled by an identity theft ring.
As previously reported, researchers at Sunbelt Software Inc. made the discovery during an audit of "CoolWebSearch," a program
that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.
According to Sunbelt president Alex Eckelberry, the keylogger is a small program related to the Dumador/Nibu family of
Trojans.
He said the executable runs under the cover of Microsoft Corp.'s Internet Explorer browser, making it difficult to detect
by software of hardware firewalls.
The keystroke logger has been programmed to shut down the firewall that ships with Windows XP and steal data from the IE
"Protected Storage Area."
The program also hijacks data from the Windows clipboard and uploads all the stolen data to a remote Web server controlled
by an unknown ring of identity thieves.
Read more here about Sunbelt's discovery of the identity theft ring.
Ziff Davis Internet News has confirmed that the data being sent to the Web server included chat sessions, user names, passwords,
bank account information, full names, addresses, eBay and PayPal account information.
The logs being sent to the server also include logins and passwords from a number of software programs, including WebMoney,
Far Manager and Total Commander.
According to Eckelberry, the keylogger also modifies the host file to block the infected machine from accessing anti-virus
programs.
Because the keylogger is programmed to hijack data from the IE "Protected Storage Area," Eckelberry recommends that IE
users turn off the browser's "AutoComplete" feature.
That can be done by unchecking the pre-checked boxes via Tools > Internet Options > Content.
According to Eckelberry, the data stored in that IE feature is very lucrative for identity thieves.
The browser's AutoComplete tool is used to store all data entered on HTML forms when purchasing products over the internet
or filling out personal information like addresses, phone numbers, and Social Security numbers.
It also has a feature that stores usernames and passwords for Web sites that require you to login.
One example of this is online banking Web sites that include Web-based mail servers like Hotmail or Gmail, he explained.
Read more here about the many faces of spyware.
Eckelberry said Sunbelt will share the technical details on the keystroke logger with the entire anti-virus industry to ensure that detections are added for users.
Sunbelt has already updated its CounterSpy and CounterSpy Enterprise anti-spyware databases and plans to post the free
detection tool to the Sunbelt home page on Thursday.
Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the "CoolWebSearch" application.
The Trend Micro tool is available for the Microsoft Windows XP, Windows 2000, Windows Millennium Edition and Windows 98
operating systems. However, it will not detect the Srv.SSA-KeyLogger executable.
Protection Recommendations:
Sunbelt has published a list of basic security recommendations for users and administrators to help thwart identity thieves.
They include:
Train employees on the dangers of opening attachments they are not expecting. Also, do not install software that is downloaded
from the Internet unless it is scanned for viruses. Even visiting an infected Web site can compromise a computer if certain
browser vulnerabilities have not been patched.
Isolate infected computers quickly to prevent further infection throughout your organization.
Use complex passwords to make it difficult to access key information on compromised computers. Turn off and remove unnecessary
services. Many operating systems install auxiliary services that are not critical, such as an FTP server, Telnet and a Web
server. These services open avenues through which malware can attack.
