June 27, 2007

Hackers build new Trojans with online 'construction kit'

Tool kit costs £500 and comes with instruction manual

By Jaikumar Vijayan

Hacker groups are using a "construction kit" supplied by the author of a Trojan horse program discovered last October to develop and unleash more dangerous variants of the original malware.

The new Trojans have been used to steal sensitive information belonging to at least 10,000 individuals and to send the data to rogue servers in China, Russia and the US, Don Jackson, a researcher at security firm SecureWorks, said.

The stolen data includes social security numbers, online account information, bank account and credit card numbers, user names and passwords – some of it stolen from businesses.

The Prg Trojan, as it has been dubbed by SecureWorks, is a variant of another Trojan called wnspoem that was unearthed in October. The Prg Trojan and its variants are designed to sniff sensitive data from internal memory buffers in Windows before the data is encrypted and sent to secure socket layer (SSL) protected websites.

The Trojans are programmed to send the stolen data to servers around the world where it is stored in encrypted fashion and sold on to people looking for such information. An analysis of log files on the servers storing the stolen data found that a lot of the information was coming from corporate PCs, Jackson said.

The variants included a new function that allows them to listen on TCP port 6081 and wait for a remote attacker to connect and issue commands for forwarding data or for rummaging through files on the compromised system, Jackson said.

The newer variants were also more configurable and could be programmed to send stolen data to its final destination via a chain of proxy servers. The new Prg variants encrypt stolen data in a different way to the original version, making older analysis tools obsolete, he said.

What makes the threat from the Prg Trojan especially potent is the availability of a construction tool kit that allows hackers to develop and release new versions of the code faster than antivirus vendors can devise applications, Jackson said.

The tool kit appears to have been developed by the Russian authors of the original wnspoem Trojan and comes complete with a three-page instruction manual in Russian.

Originally, the kit appears to have been sold to other hacker groups for around $1,000 (£500). But more recently it appears to have been posted on an underground website, where others have been downloading and using it, Jackson said.

Newsletters

Sign up to our Weekly Round-Up for the past week’s not-to-be-missed news analysis and insight delivered straight to your inbox.