Home General Discussion

New keylogger/spamthingy/trojan

Here's a quote from the spyware weekly newsletter, i'm informing you because it sounds like a terrible thing:
[ QUOTE ]
I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.

Since the HijackThis log entry now has been published elsewhere, including on Sunbelt's web site, I will go ahead and reveal it. Download HijackThis and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe

Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page (http://research.sunbelt-software.com/ssaclean.cfm). Download the program linked there, then unplug that computer's modem from the internet. Leave it unplugged until after the trojan has been removed. I've submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don't already.

Sunbelt has named this trojan Srv.SSA-KeyLogger.

After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.

Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.

This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.

At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.

CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.

The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.

Once the keylogger is installed, a surprising number of things happen to the infected computer.

Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker's web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.

I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.

The keylogger itself is set up to run every time the computer restarts. A registry key is written which loads the keylogger even before any user logs into their account. Again, that entry can be identified in a HijackThis scan as O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe

This spyware also performs another very cute trick. Just in case someone has discovered that malware has been installed and tries to clean it off, a PE virus infects a harmless program set to load at startup. The program that is infected is chosen at random from the list of start up entries found in the registry. Once this is done, the computer is reinfected with this trojan when it restarts.

This keylogger appears to be designed specifically to capture passwords and user names. It captures chat sessions, collects passwords from various programs such as FTP clients. It reads information from the Windows Clipboard. It also captures data from Internet Explorer's "Protected Storage". This information is dumped into a log file. Once the log file reaches a certain size, the information is uploaded to a remote web server.

After some research, several people have found indications that an older version of this trojan has been infecting people for several months, possibly as far back as December 2004.

A web server is installed on the computer, along with a PHP scripting engine, allowing PHP scripts to be run on the infected computer. PHP is a scripting language used on millions of web sites, including Spywareinfo.com. Some of the PHP scripts included with this trojan allow a person to run programs on the infected computer from a remote location. We are still studying this web server.

Both SMTP and POP3 email servers are installed. Shortly thereafter, the computer begins spewing out spam.

Part of a rootkit is installed, which has been identified as Haxdoor.

The Windows Task Manager is replaced with an altered version.

Internet Explorer itself is infected. A DLL library file hooks into Iexplore.exe using process injection. This means that a firewall might not prevent this trojan from accessing the internet.

The Windows Security Center, installed as part of Windows XP SP2, is disabled. The Windows Firewall and the Automatic Updates services are disabled. If the computer is running Windows XP and does not have Service Pack 2 installed already, the registry is altered in a way that would cause installation of this service pack to fail.

One person reported that files from the program Total Uninstall 3 had been modified to render it inoperable.

The trojan connects to a certain page of a certain web site every five seconds. From this web page, with no password needed, someone can send commands to every infected machine still connected to the internet.

This very clearly is one of the worst malware infections I have ever seen. This whole newsletter is two days late because every time I thought I'd finished this article, we discovered something new about the trojan.

Again, running this tool from Sunbelt (http://research.sunbelt-software.com/ssaclean.cfm) should remove this particular trojan. Other antispyware and antivirus products should begin detecting it very shortly.

Credit for all of the analysis that I have tried to explain here goes to a large number of people: Patrick Jordan (aka Webhelper), Eric Sites and Alex Eckleberry of Sunbelt Software. There are a couple of researchers from Microsoft that I probably shouldn't name. Eric Howes and Suzi from spywarewarrior.com. Paul Laudaski (aka Zhen-Xjell) from Castlecops. From the online antispyware community; Tuxedo_jack, JackB, Avohir, Grinler, Mike Burgess (aka WinHelp2002), Merijn, Metallica, Didom, TheJoker, cnm, jedi, miekiemoes, Swandog46, Atribune, WaRHaWK, Bobbi_Flekman. If I left anyone out, I apologize. There literally were dozens of people picking this thing apart over the last few days.

We are continuing to post news stories related to this ID theft ring in our news section.


[/ QUOTE ]

Replies

  • shotgun
    Offline / Send Message
    shotgun polycounter lvl 20
    thanks for the post ~~
    fortunately im clean from this one.

    ill use the opportunity to ask, if anyone is into this stuff:

    i am using NAV inet security and also spybot and they detect nothing. all my processes seem legitimic as well, but im Sure ive got a trojan horse. the reason is that every time i go online, at the exact second, NAV tells me it blocked a trojan horse attempt to connect to my computer.

    just yesterday microsoft printer spooler service (!?) attempted to connect to a remote system the moment i went online. still, tho, scanning reveals nothing.

    what do you think could be behind this?
  • KDR_11k
    Offline / Send Message
    KDR_11k polycounter lvl 18
    Windows tries to phone home all by itself, that's not a sign of an infected system but standard behaviour.

    Ran HijackThis, I'm negative on that thing as well.
  • Cubik
    Offline / Send Message
    Cubik polycounter lvl 18
    No idea if this has anything to do with what's happing to your comp, shotgun, but I'll post it anyway:
    http://securityresponse.symantec.com/avcenter/security/Content/14514.html
  • ElysiumGX
    Offline / Send Message
    ElysiumGX polycounter lvl 18
    My dad's credit card number was stolen last week and used to buy a $400 cell phone which was shipped to New York. I soon checked to realize my mom's computer was loaded with spyware. I'll have to run HijackThis on her PC soon.

    My computer, my GF's, and my little brother's (all built and set up by me) have not had a single problem in almost a year. I add all sorts of protection to these boxes before they're even connected to a modem. And everyone over here is using Firefox now...except for my mom.
  • CheapAlert
    Offline / Send Message
    CheapAlert polycounter lvl 18
    I've none of this spy junk you speak of, \o/ for not running internet explorer
  • shotgun
    Offline / Send Message
    shotgun polycounter lvl 20
  • Frank
    Offline / Send Message
    Frank polycounter lvl 18
    I'm almost positive I have this, I've been fighting some damn thing for a week and have only succeeded in disabling it, not cleaning it. Well, as far as I know. And none of the scanners I've installed could find the source of the problem (I found how the process was running on boot and killed the process it was linked to, got rid of the files it generated...but it sometimes still generates them, and I can't tell from where). I actually kind of hope this is it, and thanks for posting it Pea.

    Frank the Avenger
  • Michael Knubben
    No problem. When i read it i allready kind of figured it was a bitch to get rid off, and there would be some people who'd be quite gratefull to hear there's a simple fix.
  • NuclearTes
    Offline / Send Message
    NuclearTes polycounter lvl 18
    Damn, that sounds really nasty. I did a scan with HijackThis immediately. I was really glad that entry didn't show up.

    @Shotgun: I would recommend installing HijackThis. You can make a log file with it and post it on the Spyware Warrior forums. If something nasty has installed itself on your computer they can help you get rid of it. Don't fix any of the entries in the log file yourself though; HijackThis doesn't make a difference between good and wrong. It deals directly with the registry. You can seriously damage your computer if you don't know what you're doing.

    You can also verify your HijackThis logs with the following online automated analysis tools, but always consult an expert before taking action:
    http://hijackthis.de/
    http://hjt.iamnotageek.com/

    To prefend future infections I can recommend the following actions aswell:

    Use the immunize feature in Spybot Search & Destroy.
    Install and use Spyware Blaster - also a very good immunization tool.
    Install and use Spyware Guard - Another excellent safety barrier.
    Install and use Spyad - Prefend even more nasties from installing
    Install the MVP Hosts file - Very good safety measure
    Use Mozilla Firefox or Opera instead op Internet Explorer.
    Oh yeah, I don't like saying this, but Microsoft's AntiSpyware tool is good.
  • JKMakowka
    Offline / Send Message
    JKMakowka polycounter lvl 18
    Ahh, the joy of using Linux tongue.gif
  • KDR_11k
    Offline / Send Message
    KDR_11k polycounter lvl 18
    If Linux was as popular as you'd like it to be you'd see tons of malware for Linux, too. Can't mess up your system because you're not running as root? I'd consider losing my system less of a problem than losing all the stuff I ever made. Of course I make backups but Joe Sixpack won't. Face it, lots of clueless users + malware == trouble, no matter what. You can only restrict them so much before they'll start complaining and when there's no sysadmin around to explain WHY they're not supposed to do this or that they'll try to do it by any means possible. Never mind many idiots won't patch very often (Blaster is the proof of this) so any privilege escalation vulnerabilities will be fixed too late on their system at which point it could already have tainted the Kernel or otherwise completely owned the computer to the point where the filesystem drivers themselves start hiding the malware.

    Oh yeah, I don't like saying this, but Microsoft's AntiSpyware tool is good.

    It was good but MS started taking donations or something from spyware companies. Whatever the reason, they downclassed all of Claria's (prolific spyware company AKA Gator) viri to "harmless, ignore".
  • JKMakowka
    Offline / Send Message
    JKMakowka polycounter lvl 18
    'if' is the correct word, but right now I am perfectly save on my Linux box tongue.gif

    But you are right nothing can save a computer from clueless users (but it would not be as bad with Linux, due to it's superior security design).
    And actually if some clueless user loses all the stuff he has ever made, that is better than him loosing all his stuff AND the system (exspecially if it is a relative and I have to fix it confused.gif )

    And btw one of the reasons why noone updates his computer (but surly not the biggest one, which is lazyness as you said), is that upgrades to windows cost money (at least if you are beyond the security update phase, which a lot of users are), while Linux updates do not cost anything.

    ... oh and please ignore this post if it is tempting you to start a flamewar tongue.gif
  • ElysiumGX
    Offline / Send Message
    ElysiumGX polycounter lvl 18
    [ QUOTE ]
    Face it, lots of clueless users + malware == trouble, no matter what.

    [/ QUOTE ]

    That's right. Huge marketing empires such as Microsoft have made a killing bringing home computer systems to the average person/family. Everyone has a computer now. Some of them may even realise, something in that beige box is helpful for their lives. What was microsoft's goal? Offer computer systems with Windows pre-installed to every man woman and child and skinny dip in all the cash. What was their mistake? Not fucking explaining to them how it works. It's a broken toaster. The label says Windows HOME edition. The average person has no clue what a patch is, or why it's important. They have no clue why, and how often they should defragment. What the hell is malware? What's a browser?

    When you buy a game, say from Nintendo, there are steps within the game that lead you through as a tutorial. It introduces you to the interface, and shows you the available commands and why they're important, and lists details of important features. Even BF2 uses this, and gets you up and running quickly.

    It's more than just, "press the start button, idiot". Why isn't this same idea included in Home/Family based prebundled Windows systems, and stuck right on the desktop? The cool thing about Linux users, they know how the system works. User friendly isn't always a good thing, education is. Now if you'll excuse me, I have to go reformat my mom's E-machine.
  • NuclearTes
    Offline / Send Message
    NuclearTes polycounter lvl 18
    [ QUOTE ]
    It was good but MS started taking donations or something from spyware companies. Whatever the reason, they downclassed all of Claria's (prolific spyware company AKA Gator) viri to "harmless, ignore".

    [/ QUOTE ]

    That's true, but it still finds and destroys loads of other spyware. It's still recommended on forums like www.spywarewarrior.com, because it still deletes more malware than most of the other tools. (I've read a very reliable test in a Dutch computer magazine about that). And you can still get rid of Claria with Spybot Search & Destroy.

    It's always recommended to use several reliable spyware removers - because the perfect tool doesn't exist. They all find different stuff.

    The following programs are all reliable spyware removers aswell (some are free, some are commercial). I personally like Spy Sweeper very much.

    Spybot Search & Destroy
    Ad-aware
    Webroot Spy Sweeper
    Pest Patrol
    Spyware Doctor

    You can check the trustworthiness of your spyware removal tools here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
    It was also mentioned in the article MightyPea quoted.

    [ QUOTE ]
    The cool thing about Linux users, they know how the system works.

    [/ QUOTE ]
    I don't, but maybe that's because I have a dual boot system. poly104.gif I've succesfully installed software on it - but I know very little about Linux. I'm interested in learning more though.

    [ QUOTE ]
    And btw one of the reasons why noone updates his computer (but surly not the biggest one, which is lazyness as you said), is that upgrades to windows cost money (at least if you are beyond the security update phase, which a lot of users are), while Linux updates do not cost anything.


    [/ QUOTE ]
    I can still download security updates for Windows ME without paying extra cash. You can even download security updates if you're using an illegal version of Windows XP. You can always get the critical updates, because that also protects the users that are actually paying.
  • Frank
    Offline / Send Message
    Frank polycounter lvl 18
    I did in fact have this thing, and I stress it didn't show up on a HijackThis scan. I've been using HJT for over a year, it was one of the first things I used, and there wasn't anything in the log about this thing. It is nasty, nasty shit.

    Frank the Avenger
  • NuclearTes
    Offline / Send Message
    NuclearTes polycounter lvl 18
    @Frank: Ok, what tool did find the nasty bugger? I'm interested.
  • Frank
    Offline / Send Message
    Frank polycounter lvl 18
    The tool Pea linked above got rid of it, a bunch of other scanners could see parts of it and my tinkering in safe mode did some good but we couldn't find the root of the problem.

    Long version: smile.gif Last weekend I was wandering around the net when Spysweeper (that I like so much I actually paid for) went absolutely bonkers, telling me all this stuff was trying to install itself, and should it be allowed. It was a variant of CWS, I think three trojans and a piece of spyware it told me about. So I knew I had something, so I ran a full scan and told it to delete everything it found, which it did get rid of the trojans and CWS, and then I rebooted.

    On reboot, all kinds of things were fucked up. Things were running really slowly, so I checked the windows process viewer to see if I needed to kill something left behind; well, the actual process list was greyed out and inaccessable. I could see what was running, but I couldn't select any processes. And I could see a couple of things that shouldn't have been there, things like ~32.tmp and sgpihga.exe.

    I then went out and got a couple of other scanners (AVG and Ewidio) and a better process viewer, after I switched to Firefox. Oh, this also caused me to find out that whatever had installed itself had added a lot of sites to my HOST file, things like mozilla.com and symantec.com, and a lot of other places I'd never heard of. It also changed some entries to allow connections to other sites that were blocked already.

    Well, parts of it were found by AVG's virus scanner, it generated temp files called things like ~1.tmp (which were actually executable files) and load32.exe and winldra.exe, also some exes with random names were generated on boot sometimes and those were caught...some parts of it were at least located by Ewidio (I think that's how you spell it) the scanner reccomended by Geek Squad, although it couldn't find the source of the problem. So I ran the new process viewer I had on boot and found something like ten to fifteen tmp files running on boot under to my Adobe Gamma Loader, so I killed that tree and took it out of startup. All that did was keep it from running on boot, as Spysweeper would periodically inform me that something was trying to modify my startup settings and my HOST file, so I knew something was still running somewhere.

    So I was very very glad when Pea posted this, as I recognized load32 and winldra, as I'd deleted them out of my /temp directory by hand after noting their creation date (any exe's after a certain date and time in that folder I deleted in safe mode, as they had to be part of the infection). All I'd been able to do on my own was hopefully cripple the thing, but this got rid of it.

    I spent a lot of time last week in safe mode and poring over various directories looking at file creation dates. It wasn't really fun, especially since I knew I wasn't getting rid of it. I even spent about two hours hunting through the registry trying to find this thing's entry, and I couldn't find it.

    Frank the Avenger
  • KDR_11k
    Offline / Send Message
    KDR_11k polycounter lvl 18
    telling me all this stuff was trying to install itself

    Wait, that shouldn't happen. Do you have some ancient version of Windows with all the old bugs and run no firewall or *shudder* are you using IE?
  • Frank
    Offline / Send Message
    Frank polycounter lvl 18
    I was running IE, I was sure I could take care of anything that managed to get through. I'm not any more. smile.gif

    Frank the Avenger
Sign In or Register to comment.