New keylogger/spamthingy/trojan
mod
Here's a quote from the spyware weekly newsletter, i'm informing you because it sounds like a terrible thing:
[ QUOTE ]
I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.
Since the HijackThis log entry now has been published elsewhere, including on Sunbelt's web site, I will go ahead and reveal it. Download HijackThis and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page (http://research.sunbelt-software.com/ssaclean.cfm). Download the program linked there, then unplug that computer's modem from the internet. Leave it unplugged until after the trojan has been removed. I've submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don't already.
Sunbelt has named this trojan Srv.SSA-KeyLogger.
After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.
Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.
This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.
At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.
CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.
The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.
Once the keylogger is installed, a surprising number of things happen to the infected computer.
Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker's web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.
I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.
The keylogger itself is set up to run every time the computer restarts. A registry key is written which loads the keylogger even before any user logs into their account. Again, that entry can be identified in a HijackThis scan as O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
This spyware also performs another very cute trick. Just in case someone has discovered that malware has been installed and tries to clean it off, a PE virus infects a harmless program set to load at startup. The program that is infected is chosen at random from the list of start up entries found in the registry. Once this is done, the computer is reinfected with this trojan when it restarts.
This keylogger appears to be designed specifically to capture passwords and user names. It captures chat sessions, collects passwords from various programs such as FTP clients. It reads information from the Windows Clipboard. It also captures data from Internet Explorer's "Protected Storage". This information is dumped into a log file. Once the log file reaches a certain size, the information is uploaded to a remote web server.
After some research, several people have found indications that an older version of this trojan has been infecting people for several months, possibly as far back as December 2004.
A web server is installed on the computer, along with a PHP scripting engine, allowing PHP scripts to be run on the infected computer. PHP is a scripting language used on millions of web sites, including Spywareinfo.com. Some of the PHP scripts included with this trojan allow a person to run programs on the infected computer from a remote location. We are still studying this web server.
Both SMTP and POP3 email servers are installed. Shortly thereafter, the computer begins spewing out spam.
Part of a rootkit is installed, which has been identified as Haxdoor.
The Windows Task Manager is replaced with an altered version.
Internet Explorer itself is infected. A DLL library file hooks into Iexplore.exe using process injection. This means that a firewall might not prevent this trojan from accessing the internet.
The Windows Security Center, installed as part of Windows XP SP2, is disabled. The Windows Firewall and the Automatic Updates services are disabled. If the computer is running Windows XP and does not have Service Pack 2 installed already, the registry is altered in a way that would cause installation of this service pack to fail.
One person reported that files from the program Total Uninstall 3 had been modified to render it inoperable.
The trojan connects to a certain page of a certain web site every five seconds. From this web page, with no password needed, someone can send commands to every infected machine still connected to the internet.
This very clearly is one of the worst malware infections I have ever seen. This whole newsletter is two days late because every time I thought I'd finished this article, we discovered something new about the trojan.
Again, running this tool from Sunbelt (http://research.sunbelt-software.com/ssaclean.cfm) should remove this particular trojan. Other antispyware and antivirus products should begin detecting it very shortly.
Credit for all of the analysis that I have tried to explain here goes to a large number of people: Patrick Jordan (aka Webhelper), Eric Sites and Alex Eckleberry of Sunbelt Software. There are a couple of researchers from Microsoft that I probably shouldn't name. Eric Howes and Suzi from spywarewarrior.com. Paul Laudaski (aka Zhen-Xjell) from Castlecops. From the online antispyware community; Tuxedo_jack, JackB, Avohir, Grinler, Mike Burgess (aka WinHelp2002), Merijn, Metallica, Didom, TheJoker, cnm, jedi, miekiemoes, Swandog46, Atribune, WaRHaWK, Bobbi_Flekman. If I left anyone out, I apologize. There literally were dozens of people picking this thing apart over the last few days.
We are continuing to post news stories related to this ID theft ring in our news section.
[/ QUOTE ]
[ QUOTE ]
I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.
Since the HijackThis log entry now has been published elsewhere, including on Sunbelt's web site, I will go ahead and reveal it. Download HijackThis and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page (http://research.sunbelt-software.com/ssaclean.cfm). Download the program linked there, then unplug that computer's modem from the internet. Leave it unplugged until after the trojan has been removed. I've submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don't already.
Sunbelt has named this trojan Srv.SSA-KeyLogger.
After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.
Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.
This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.
At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.
CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.
The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.
Once the keylogger is installed, a surprising number of things happen to the infected computer.
Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker's web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.
I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.
The keylogger itself is set up to run every time the computer restarts. A registry key is written which loads the keylogger even before any user logs into their account. Again, that entry can be identified in a HijackThis scan as O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
This spyware also performs another very cute trick. Just in case someone has discovered that malware has been installed and tries to clean it off, a PE virus infects a harmless program set to load at startup. The program that is infected is chosen at random from the list of start up entries found in the registry. Once this is done, the computer is reinfected with this trojan when it restarts.
This keylogger appears to be designed specifically to capture passwords and user names. It captures chat sessions, collects passwords from various programs such as FTP clients. It reads information from the Windows Clipboard. It also captures data from Internet Explorer's "Protected Storage". This information is dumped into a log file. Once the log file reaches a certain size, the information is uploaded to a remote web server.
After some research, several people have found indications that an older version of this trojan has been infecting people for several months, possibly as far back as December 2004.
A web server is installed on the computer, along with a PHP scripting engine, allowing PHP scripts to be run on the infected computer. PHP is a scripting language used on millions of web sites, including Spywareinfo.com. Some of the PHP scripts included with this trojan allow a person to run programs on the infected computer from a remote location. We are still studying this web server.
Both SMTP and POP3 email servers are installed. Shortly thereafter, the computer begins spewing out spam.
Part of a rootkit is installed, which has been identified as Haxdoor.
The Windows Task Manager is replaced with an altered version.
Internet Explorer itself is infected. A DLL library file hooks into Iexplore.exe using process injection. This means that a firewall might not prevent this trojan from accessing the internet.
The Windows Security Center, installed as part of Windows XP SP2, is disabled. The Windows Firewall and the Automatic Updates services are disabled. If the computer is running Windows XP and does not have Service Pack 2 installed already, the registry is altered in a way that would cause installation of this service pack to fail.
One person reported that files from the program Total Uninstall 3 had been modified to render it inoperable.
The trojan connects to a certain page of a certain web site every five seconds. From this web page, with no password needed, someone can send commands to every infected machine still connected to the internet.
This very clearly is one of the worst malware infections I have ever seen. This whole newsletter is two days late because every time I thought I'd finished this article, we discovered something new about the trojan.
Again, running this tool from Sunbelt (http://research.sunbelt-software.com/ssaclean.cfm) should remove this particular trojan. Other antispyware and antivirus products should begin detecting it very shortly.
Credit for all of the analysis that I have tried to explain here goes to a large number of people: Patrick Jordan (aka Webhelper), Eric Sites and Alex Eckleberry of Sunbelt Software. There are a couple of researchers from Microsoft that I probably shouldn't name. Eric Howes and Suzi from spywarewarrior.com. Paul Laudaski (aka Zhen-Xjell) from Castlecops. From the online antispyware community; Tuxedo_jack, JackB, Avohir, Grinler, Mike Burgess (aka WinHelp2002), Merijn, Metallica, Didom, TheJoker, cnm, jedi, miekiemoes, Swandog46, Atribune, WaRHaWK, Bobbi_Flekman. If I left anyone out, I apologize. There literally were dozens of people picking this thing apart over the last few days.
We are continuing to post news stories related to this ID theft ring in our news section.
[/ QUOTE ]
Replies
fortunately im clean from this one.
ill use the opportunity to ask, if anyone is into this stuff:
i am using NAV inet security and also spybot and they detect nothing. all my processes seem legitimic as well, but im Sure ive got a trojan horse. the reason is that every time i go online, at the exact second, NAV tells me it blocked a trojan horse attempt to connect to my computer.
just yesterday microsoft printer spooler service (!?) attempted to connect to a remote system the moment i went online. still, tho, scanning reveals nothing.
what do you think could be behind this?
Ran HijackThis, I'm negative on that thing as well.
http://securityresponse.symantec.com/avcenter/security/Content/14514.html
My computer, my GF's, and my little brother's (all built and set up by me) have not had a single problem in almost a year. I add all sorts of protection to these boxes before they're even connected to a modem. And everyone over here is using Firefox now...except for my mom.
Frank the Avenger
@Shotgun: I would recommend installing HijackThis. You can make a log file with it and post it on the Spyware Warrior forums. If something nasty has installed itself on your computer they can help you get rid of it. Don't fix any of the entries in the log file yourself though; HijackThis doesn't make a difference between good and wrong. It deals directly with the registry. You can seriously damage your computer if you don't know what you're doing.
You can also verify your HijackThis logs with the following online automated analysis tools, but always consult an expert before taking action:
http://hijackthis.de/
http://hjt.iamnotageek.com/
To prefend future infections I can recommend the following actions aswell:
Use the immunize feature in Spybot Search & Destroy.
Install and use Spyware Blaster - also a very good immunization tool.
Install and use Spyware Guard - Another excellent safety barrier.
Install and use Spyad - Prefend even more nasties from installing
Install the MVP Hosts file - Very good safety measure
Use Mozilla Firefox or Opera instead op Internet Explorer.
Oh yeah, I don't like saying this, but Microsoft's AntiSpyware tool is good.
Oh yeah, I don't like saying this, but Microsoft's AntiSpyware tool is good.
It was good but MS started taking donations or something from spyware companies. Whatever the reason, they downclassed all of Claria's (prolific spyware company AKA Gator) viri to "harmless, ignore".
But you are right nothing can save a computer from clueless users (but it would not be as bad with Linux, due to it's superior security design).
And actually if some clueless user loses all the stuff he has ever made, that is better than him loosing all his stuff AND the system (exspecially if it is a relative and I have to fix it
And btw one of the reasons why noone updates his computer (but surly not the biggest one, which is lazyness as you said), is that upgrades to windows cost money (at least if you are beyond the security update phase, which a lot of users are), while Linux updates do not cost anything.
... oh and please ignore this post if it is tempting you to start a flamewar
Face it, lots of clueless users + malware == trouble, no matter what.
[/ QUOTE ]
That's right. Huge marketing empires such as Microsoft have made a killing bringing home computer systems to the average person/family. Everyone has a computer now. Some of them may even realise, something in that beige box is helpful for their lives. What was microsoft's goal? Offer computer systems with Windows pre-installed to every man woman and child and skinny dip in all the cash. What was their mistake? Not fucking explaining to them how it works. It's a broken toaster. The label says Windows HOME edition. The average person has no clue what a patch is, or why it's important. They have no clue why, and how often they should defragment. What the hell is malware? What's a browser?
When you buy a game, say from Nintendo, there are steps within the game that lead you through as a tutorial. It introduces you to the interface, and shows you the available commands and why they're important, and lists details of important features. Even BF2 uses this, and gets you up and running quickly.
It's more than just, "press the start button, idiot". Why isn't this same idea included in Home/Family based prebundled Windows systems, and stuck right on the desktop? The cool thing about Linux users, they know how the system works. User friendly isn't always a good thing, education is. Now if you'll excuse me, I have to go reformat my mom's E-machine.
It was good but MS started taking donations or something from spyware companies. Whatever the reason, they downclassed all of Claria's (prolific spyware company AKA Gator) viri to "harmless, ignore".
[/ QUOTE ]
That's true, but it still finds and destroys loads of other spyware. It's still recommended on forums like www.spywarewarrior.com, because it still deletes more malware than most of the other tools. (I've read a very reliable test in a Dutch computer magazine about that). And you can still get rid of Claria with Spybot Search & Destroy.
It's always recommended to use several reliable spyware removers - because the perfect tool doesn't exist. They all find different stuff.
The following programs are all reliable spyware removers aswell (some are free, some are commercial). I personally like Spy Sweeper very much.
Spybot Search & Destroy
Ad-aware
Webroot Spy Sweeper
Pest Patrol
Spyware Doctor
You can check the trustworthiness of your spyware removal tools here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
It was also mentioned in the article MightyPea quoted.
[ QUOTE ]
The cool thing about Linux users, they know how the system works.
[/ QUOTE ]
I don't, but maybe that's because I have a dual boot system.
[ QUOTE ]
And btw one of the reasons why noone updates his computer (but surly not the biggest one, which is lazyness as you said), is that upgrades to windows cost money (at least if you are beyond the security update phase, which a lot of users are), while Linux updates do not cost anything.
[/ QUOTE ]
I can still download security updates for Windows ME without paying extra cash. You can even download security updates if you're using an illegal version of Windows XP. You can always get the critical updates, because that also protects the users that are actually paying.
Frank the Avenger
Long version:
On reboot, all kinds of things were fucked up. Things were running really slowly, so I checked the windows process viewer to see if I needed to kill something left behind; well, the actual process list was greyed out and inaccessable. I could see what was running, but I couldn't select any processes. And I could see a couple of things that shouldn't have been there, things like ~32.tmp and sgpihga.exe.
I then went out and got a couple of other scanners (AVG and Ewidio) and a better process viewer, after I switched to Firefox. Oh, this also caused me to find out that whatever had installed itself had added a lot of sites to my HOST file, things like mozilla.com and symantec.com, and a lot of other places I'd never heard of. It also changed some entries to allow connections to other sites that were blocked already.
Well, parts of it were found by AVG's virus scanner, it generated temp files called things like ~1.tmp (which were actually executable files) and load32.exe and winldra.exe, also some exes with random names were generated on boot sometimes and those were caught...some parts of it were at least located by Ewidio (I think that's how you spell it) the scanner reccomended by Geek Squad, although it couldn't find the source of the problem. So I ran the new process viewer I had on boot and found something like ten to fifteen tmp files running on boot under to my Adobe Gamma Loader, so I killed that tree and took it out of startup. All that did was keep it from running on boot, as Spysweeper would periodically inform me that something was trying to modify my startup settings and my HOST file, so I knew something was still running somewhere.
So I was very very glad when Pea posted this, as I recognized load32 and winldra, as I'd deleted them out of my /temp directory by hand after noting their creation date (any exe's after a certain date and time in that folder I deleted in safe mode, as they had to be part of the infection). All I'd been able to do on my own was hopefully cripple the thing, but this got rid of it.
I spent a lot of time last week in safe mode and poring over various directories looking at file creation dates. It wasn't really fun, especially since I knew I wasn't getting rid of it. I even spent about two hours hunting through the registry trying to find this thing's entry, and I couldn't find it.
Frank the Avenger
Wait, that shouldn't happen. Do you have some ancient version of Windows with all the old bugs and run no firewall or *shudder* are you using IE?
Frank the Avenger