Russian Windows Trojan Discovered, May Point to Identity Theft Ring

The Atlanta-based security services firm SecureWorks discovered, by way of an inquiry from one of its Windows customers, what appears to be a very sophisticated Trojan horse program. Under intense analysis, the program was discovered to be attempting to deliver users’ certificates and other identifying data to a variety of IP addresses found to be hosted in Russia.

The Trojan trips only a handful of anti-virus programs using heuristic analysis, an in-depth SecureWorks report states, including Sophos, Symantec, F-Prot, and CA’s VET. But it just slips by most other protection programs; and evidence trails uncovered by SecureWorks indicate that specifically-targeted users may have been infected as far back as December 2006.

Surprisingly, a few of the Trojan’s discovered delivery mechanisms are not uncommon, including hiding JavaScript code within an embedded frame of a Web page (using the IFRAME tag) that is itself embedded, and triggering an executable file to run by registering it in the Run tag of the System Registry. The downloading of the executable may take place using XMLHTTP and ActiveX Data Objects components which were found years ago to be security risks, and which Microsoft has long since superseded – even though the components themselves may be in use in many systems for compatibility purposes.

An in-depth examination of the Trojan running on a VMware virtual machine using tools such as SysInternals found that it may actually be using a Registry key as a conduit for transferring data between the infected system and its IP address contact. Older Windows components were deemed security risks for having the ability to read and write values from the System Registry without any pre-authorization – or, more accurately, without any specific authorization since the components themselves were almost automatically considered authorized.

More importantly, SecureWorks discovered that the Trojan tries to log in to a California bank’s servers, initially using false data, apparently in a sequence of attempts to determine the bank’s protocols. SecureWorks believes it uses the information gleaned from these attempts to concoct a way to pass itself off as a layered service provider - a low-level network component – as a means of bypassing SSL encryption.

In the firm’s tests, SecureWorks was able to supply the Trojan with phony certificates and identifying data, not directly but through typical-style communication with real-world Web sites. It was then able to siphon through the Trojan’s communications with its home server, and detect where it had wrapped fake data such as ATM numbers, the last four digits of a Social Security Number, and access PINs within encrypted packets.

If you think this story is wild enough, it does not stop there. In his report, SecureWorks researcher Don Jackson writes about how he posed undercover online as a potential customer searching for a malware kit. Posting solicitations to certain forums with which he was familiar, Jackson uncovered sources in Russia that may be selling this Trojan and others as malware kits, for prices ranging from $500 to $2,000.

Jackson notes that governments thus far have been unable (or perhaps, more accurately, unwilling) to take action to take down the Trojan’s home server, which he says remains active at this time.

As far as what potential victims of this attack may be able to do, Jackson’s prognosis does not look promising. He believes the malware industry in Russia has become so sophisticated that it has successfully commoditized utilities that can modularize and re-package malicious code faster than today’s anti-virus industry can get a handle on its signatures.

“Malware code is so modularized,” Jackson writes, “that AV vendors often misclassify executables, making them difficult to remedy. The product has been commoditized. In all of the code analyzed by SecureWorks Research, no useful utility for encrypting new options data for the Trojan client was found. It's just not distributed. How to customize IP addresses, ports, and URLs for these types of Trojans is a secret reserved by those who manufacture them as part of a service.”

Late yesterday, the US-CERT office of the Dept. of Homeland Security acknowledged SecureWorks’ research, though it could offer no advice to users for protecting themselves and their businesses against this or similar attacks.