RSST-I-double-guh-Er...The unique and fierce Tigger Trojan pounces
By Angela Gunn | Published March 11, 2009, 8:16 PM
A piece of malware known alternately as Syzor and Tigger.A is gaining interest from security researchers thanks to its unusual behavior, and from stock and options-trading firms thanks to targeting customers and employees in that sector.
Tigger takes advantage of a vulnerability in Windows' privilege-escalation fuctionality, a vuln reported in MS08-066 and patched in October. The privilege-escalation exploit allows the malware to override whatever limitations might be on the account. In other words, if you're sensible enough not to run your machine in administrator mode, this malware sidesteps your puny attempt at safe computing. But wait, there's more!
Upon arrival, it cleans house, deleting nearly two dozen other pieces of malware from the system if they're discovered. This is the last nice thing you'll hear about Tigger. Researchers hypothesize that the malware's attempting to make things behave as normally as possible, so as not to draw attention to a machine that's about to experience great hurt.
It installs a rootkit, one that runs in safe mode. The rootkit compromises FAT and NTFS file system drivers, disables kernel debuggers, and blocks other processes from accessing the kernel driver's memory -- in other words, ensuring that rebooting in safe mode will avail you naught.
Tigger then turns its fetid attentions to anti-malware software, disabling many of the most common protections -- products from AVG, Avira, CA, Kaspersky, and Outpost in addition to Windows' own Defender and Firewall options. (Coincidentally, the Conficker virus -- the season's other grand debut -- has taken in recent days to shutting down anti-malware software it finds, according to Symantec.) And now, with the distractions tamped down and the watchdogs shot, it gets busy.
The malware monitors browser events; grabs passwords for IM, email, remote-access, storage and network; sniffs FTP and POP3 authentication information, and steals cookies and certificates. It scoops up screen shots and logs keystrokes just in case you're looking at anything interesting. Then it grabs system information, establishes a backdoor, and attempts to phone home for further instructions.
All this effort for what, exactly? It's believed that Tigger is targeting stock and trading firms, among them Ameritrade, e-Trade, ING Direct, Options XPressScottrade, ShareBuilder, and Vanguard. Go ahead and crack wise about how the market drains your portfolio faster than any thief could these days, but clues in the code make it clear that someone out there was willing to commission a very fancy Trojan to get that data.
Michael Hale Ligh, a security analyst at iDefense who has examined Tigger's guts closely, says that a key code used in the rootkit-installation process bears a strong resemblance to one used by the Srizbi botnet smited back in November. Related? It wouldn't be unthinkable; the Russian-born Srizbi botnet was once responsible for nearly 50% of the world's spam, and one suspects that its keepers would still like to profit from the code by any means necessary.
Ligh's MNIN Security Blog compliments the nasty thing on its sheer creativity -- "one of the most diverse trojans that I've seen," as Ligh puts it. He first tangled with Tigger late last month and has since then been amusing himself with developing a detection method that works without a bootable rescue disk and operates from user mode.
This trojan just might be the last straw. This is enough to make me consider a career change. Removing malware from customers' PCs has made my job so incredibly boring in recent years...
Score: 0
|IMO, werrryyyy cwevver critter... I am impressed at the complexity and deviousness of this one.... I hate to admit, i admire the effort that went into this one... doesn't mean I support the coder(s) or their ends, just that it seems someone thought of every option of disablement on this one :)
Score: 0
|Agreed, Eunichman. This is not k1dd13 stuff. (There's a line in The Lion In Winter -- "There is much that is beautiful in evil when it's absolutely pure." I'm afraid it applies.) Of course, commercialization of malware being what it is, you know we'll see this as standard equipment on canned exploits not a year from now.
Score: 0
|Great. Now Tigger is going to be bouncing around in my head all day....
Thanks so much for that.
Just for that, I'll see your Tigger reference and raise you a Barney. Hah! Have that song in your head all day.
...oh gawd....now it's in *my* head....Get out!! Gah!!!!......
...
Stupid dinosaur.
//me has likely had far too much coffee this morning.
Score: -3
|LOL... my girlfriend's son watches Barney (the reason dinosaurs went extinct in the first place) EVERY MORNING! I have to hum that stupid song on my way to work EVERY MORNING!
In other words, thanks Tool. lol ;-)
Score: 0
|"This is the song that doesn't end, yes it goes on and on my friends, some people started singing it not knowing what it was, and they'll continue singing it forever just because this is the song that doesn't end.... .. .. .."
So take that, both Ms. Gunn and Tool.
>:(
Score: 0
|AAAA! NOT BRAK! The Geneva Convention clearly states NO BRAK! (Hey Fun Key Bay Bee!) AAAAA! LOOK WHAT YOU'VE DONE! *collapse*
Score: -2
|Not quite sure why financial services firms would be running windows with 5 month old security, but there you have it.
Last week at an imaging company's onsite demo I witnessed XP SP2 boxes with windows still prompting to install SP3 and many, many patches behind. The drive was near full, so no patches would install.
Score: 1
|I was horrified by that too, MJM[binary]. I'm guessing it's some combination of staffing / merger chaos and full or cheesed drives -- something that can't be patched automatically for whatever reason. But who knows? The reasons people have for not having their security in check never cease to amaze me. (And did you manage to keep a straight face during the prompts? I would have had a tough time not commenting, I really would have.)
Score: -1
|You are going to laugh, no patch could overcome human resistance: "the server is working, what is the need of updating? what if it breaks something?" And we are talking about servers FIVE years behind update!
Score: 3
|One big issue for myself and many others is a lack of broadband access. Limited throughput and high latency causes Microsoft's unforgiving servers to routinely time out on me, even on files as small as two or three megs. Once a month or so I take my machine to the home of a friend with cable so I can keep it updated. A "last mile" solution can't arrive soon enough for folks like me. I'd love to see an article discussing the best options currently available. Oh, and let me head off the snobs right now: computers in so-called "rural" areas are just as important as anyone else's. A PC in BFE can zombie-spam you as readily as any other..ironically, tiny trojans are about the most efficient thing you can send over narrowband. :(
Score: 0
|*weeping* I know, Joco, I know... *sigh* And that's another good point, psycros. Many of my family members are in the same situation (and do not get me started on the ISP choices available in some parts of the country) and it has a definite effect on their patch behaviors.
Score: -1
|That's one major reason I haven't moved closer to where I work. It would be nice to have a 5 minute commute instead of a 25 minute commute, but the affordable housing is in an area that has no broadband options. To make matters worse, the house we liked has a Charter cable on the poles 100 feet from it but Charter will not hook up anyone on the road until it gets to the subdivision a mile down the road where their "territory" begins.
My wife runs a large part of her business from home and I do quite a bit of internet conferencing, so dial-up is out. I wish rural areas didn't get the shaft, especially when the cable already runs through the area.
Score: 1
|After having just done a 2 year stint at a very large financial institution (whose name will go unmentioned), I can tell you first hand that patching IS NOT on the list of priorities, despite what IT professionals, like myself, advice. Ever since I started in the financial industry, I have taken my money out of the banks strictly because of that reason... My home pc is more secure than the servers at work that are housing some poor guy's life savings.
Score: 0
|