3620169
story
Comments: 212 +- IT: Tigger.A Trojan Quietly Steals Stock Traders' Data on Tuesday March 03 2009, @04:37PM
Posted
by
kdawson
on Tuesday March 03 2009, @04:37PM
from the where-the-money-is dept.
from the where-the-money-is dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicmoney.gif); width:84px; height:74px;
money
**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."
Related Stories
"There is no distinctly American criminal class except Congress."
-- Mark Twain
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
looks like it may be (Score:5, Funny)
Re:looks like it may be (Score:4, Funny)
Parent
Now what we really need... (Score:5, Interesting)
If only there were a similar piece of malware in direct competition with this particular trojan such that both would attempt to remove the other and successfully do so.
It is interesting how malware is adapting so that not only is it able to spread more quickly to a larger number of machines, but also that it's attempting to increase its lifespan by killing off other malware so that the host may not notice that it's infected. I wonder how long it will be until a particular program updates a virus definition list or something similar to remove all other competing malware programs as they come into existence. Also, how much better will the malware be at quickly patching machines against new zero-day exploits than actual virus scanning and prevention software?
Parent
Re:Now what we really need... (Score:5, Insightful)
Such a malware product exists... it's called McAfee, and while it's not very good it does convince lots of people to pay money for it.
Parent
Re:Now what we really need... (Score:5, Funny)
That's a bit harsh. McAffee does a perfectly good job of preventing me doing reasonable things with my own PC like installing programs, running Windows update and using bluetooth to sync with my phone. I wouldn't call that "nothing".
Parent
Re: (Score:3, Insightful)
Re:looks like it may be (Score:4, Insightful)
Woooooooosh.
Parent
Re:looks like it may be (Score:4, Funny)
You use Antivirus 2009, too? Cool.
Parent
Oblig... (Score:5, Funny)
Does it make your computer bounce up and down on its tail too?
Re:Oblig... (Score:5, Insightful)
The wonderful thing about tiggers
Is tiggers are wonderful things!
Their tops are made out of rubber
Their bottoms are made out of springs!
They're bouncy, trouncy, flouncy, pouncy
Fun, fun, fun, fun, fun!
But the most wonderful thing about tiggers is.....
I'm the only one
Parent
Re:Oblig... (Score:5, Funny)
I'm the only one
Hmmmmm... considering that it removes a long list of other malware, that's surprisingly accurate.
Parent
a quarter million !!! (Score:5, Funny)
Re:a quarter million !!! (Score:5, Funny)
I though the most wonderful thing about Tiggers was that there was only one of them
It's a very large quantity of one.
Parent
Re:a quarter million !!! (Score:5, Funny)
I though the most wonderful thing about Tiggers was that there was only one of them
There are many copies. And they have a plan.
Parent
Here's the sum total of the knowledge gained... (Score:4, Funny)
Stocks are going down. Don't buy stock.
Re:Here's the sum total of the knowledge gained... (Score:5, Insightful)
Of course not. You should wait until they're at their 10-year peak and then buy them.
Parent
Re: (Score:3, Interesting)
No, just wait until it tells you it hit rock bottom...
Can that happen ?
Re:Here's the sum total of the knowledge gained... (Score:4, Funny)
Of course not. You should wait until they're at their 10-year peak and then buy them.
Hey, that's my investment strategy! So far it isn't working out so well, but I'm starting a website "ShortMyPortfolio.com". If past performance is any indication, it should be the best investment advice available at any price.
Parent
Re: (Score:3, Insightful)
Hmm... (Score:2)
Re:Hmm... (Score:5, Interesting)
Parent
Re: (Score:3, Interesting)
"If you must have crime, at least it should be organized crime..."
Attributed to the Patrician of Ankh-Morpork
Re:Hmm... (Score:4, Funny)
I'm okay with this worm stealing data so long as it put a little more effort into it: you know, it could introduce itself as Prince Leta Matobo living in exile in Ghana, spend some time building up a rapport, and then start making suggestions about making billions of dollars using 100% guaranteed modalities.
This automated stealing of data is just bullshit.
Parent
Re:Hmm... (Score:4, Insightful)
It's only illegal if your name isn't SONY or BMG. If your name IS SONY or BMG, you simply need to deposit two iTunes songs on the machine, and you're held harmless.
Parent
The real question is... (Score:3, Funny)
sourcing the problem (Score:2, Informative)
Attacks like this, namely single vector and single target, point to a single person or small number of persons who have found some way of using the data to profit themselves. We're probably looking at someone in their late 20s, based in the United States(cursory examination -- appears the institutions are all english and based in the US), upper middle class, 5-7 years experience programming (self-explanatory), single, male, and with a history of mental health disorders along axis IV, socially under-develope
Re:sourcing the problem (Score:5, Funny)
find someone who was recently in debt, and is now very much out of debt
Agreed, let's go after the bailout recipients.
Parent
Re: (Score:3, Interesting)
Agreed, let's go after the bailout recipients.
No. It should be assumed this person has familiarity with those systems, in order to develop the code. Acting alone (highly probable), that means he likely has/had accounts with many if not all of those financial service providers. That grossly limits the number of available suspects. His industry and age also narrow the list even further. That probably leaves perhaps 10k worth of potential suspects in the pool. I'd be guessing, but he probably hopes to convert the stolen accounts stocks to cash, launder it
Re:sourcing the problem (Score:5, Insightful)
Link it with possible terrorism to bypass the usual rules that would prevent a dragnet, and chances are good you find your man. At least, that's how I'd investigate.
Well then thank goodness you're not investigating. Crap like this is the exact reason many of us were outraged at the Patriot Act and similar legislation; back in 2001-2 we argued that such legislation would become an easy way for investigators to ignore the Constitution for a host of other crimes. There's been plenty of evidence of that happening already, but it's rare to see someone openly advocate such an abuse of law -- usually, in fact, conservatives defended these laws by saying they would never be used against anyone but the most dangerous international terrorists.
Parent
Re:sourcing the problem (Score:5, Informative)
I was about to post the same exact words. The analysis is completely faulty, based on some incredibly vague and unrelated statistics, and the call to action includes zero verification of those assumptions. Narrowing the US population to the specified profile would probably provide a single hit, but that hit would also almost certainly not be related to the trojan. That's because this is a pure case of garbage in, garbage out.
Parent
Re:sourcing the problem (Score:4, Insightful)
Yes yes, we've always known that it's harder to be good than evil. We've got thousand year old texts on the subject, we have pop sci-fi trilogies (ahem) on the subject. It's a known deal.
Me personally, I'd rather see a few thousands die than see our country go down the path of least resistance. I've been unfortunate enough to see both occur during the past decade.
Parent
Re: (Score:3, Insightful)
The truth is something that only people of a certain moral flexibility are good at uncovering.
Err, again, no. The truth has little to do with moral flexibility and all to do with facts. The fact that you confuse the two makes me question whether you understand what truth actually is.
Finally, you're also sadly mistaken if you assume that what you do on a forum has no repercussions elsewhere. At the very least, what you say on it is a reflection of who you are, and how you will act outside of it. It's not a political act, it's a social statement.
You might be technically savvy, but your understanding o
Re: (Score:2)
dude (Score:5, Funny)
you just described the entire slashdot demographic
Parent
yes but (Score:3, Funny)
you nailed the whole "socially under-developed" bit, since you just responded with great seriousness to a throwaway joke
Re:sourcing the problem (Score:5, Informative)
Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure.
I would imagine the guy who wrote this isn't working alone. Most of these kinds of attacks aren't meant to directly transfer money from the victim's brokerage account to an account controlled by the attacker.
They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.
The hard part about catching the perpetrators is sifting through the list of all the people who sold the stock at the inflated prices. A bunch of people make money from a scam like this, but only one is the criminal.
Parent
Re: (Score:3, Insightful)
Someone likes their CSI
Re:sourcing the problem (Score:5, Insightful)
Err, no. You might have the most likely demographic right, but that's just because they contain the majority of crackers. As for the debt, it is very unlikely someone in that demographic managed to accumulate a lot of debt.
What I'm pretty sure you got completely wrong is the acting alone part. You do not profit of this kind of targeted scheme by working alone. You either have a taskmaster who requested this info, or you know the people who will be able to profit from this info.
Really, nice try, but I'm pretty sure you have no idea who the crackers really are, and how they operate. I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.
Parent
Re: (Score:3, Interesting)
I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.
And yet you don't state your qualifications. Well, here's mine: I have been in information technology for eleven years, have done network and system administration at the enterprise level, and have assisted investigators tracking down so-called "hackers". I also have about four years of programming experience, mostly to support the aforementioned. I also have spent a significant portion of my professional time learning digital forensics, taking apart malware kits, and have friends that do skip-tracing profe
time for 2-factor (Score:4, Insightful)
It is time for online financial institutions (brokerages and banks) to require real 2-factor authentication to log in to their sites. When I sign up for a bank account, I want them to mail me an ATM card with an embedded smartcard chip, along with a cheap USB smartcard reader. Alternatively, send a one-time-passphrase device like SecurID.
This may be a little expensive up front, but it would cut down on enough fraud that it might pay for itself.
Re: (Score:3, Insightful)
I want them to mail me an ATM card with an embedded smartcard chip, along with a cheap USB smartcard reader.
Thats just fine, but they most likely won't release drivers for it for anything other than Windows and perhaps OS X, so any BSD, Linux, or other alternate OS user gets left out.
Secondly, it would be trivial for an attacker to put in compromised drivers in the system that reads out all the secure info and forwards it to his website where he can duplicate all the secure keys and such.
Re: (Score:3, Informative)
Malware that removes malware (Score:2, Interesting)
This makes me wonder just how widespread it could be.
And... (Score:2, Funny)
...nothing of value was lost.
Version 2.0 (Score:5, Interesting)
Version 2.0 won't just steal data. It'll make trades. Aside from the obvious theft possibilities, the controller would have the ability to create his very own economic meltdown, in any companies he wished, limited only by the size of his botnet...
Re: (Score:3, Interesting)
If it's too blatant ("meltdown") trading will just be halted. Better to be small about it. Buy stock X. Start doing a few hundred buys against a small stock from various PCs, run up the price, sell stock X, keep profit. Not much different than the email scams that try to pump up penny stocks, except in this case rather than just trying to get someone to buy it, you'd just buy it from their account for them.
I've often wondered when viruses would start getting smarter. A virus that simply changed some of
Operating Systems List (XP Only) (Score:3, Informative)
It would be nice if they had a list of Antivirus programs that were effective and/or operating systems affected, nice and prominent somewhere linked from the article.
FYI, from the security bulletin:
Affected software:
XP Service Pack 2 & 3
XP Pro x64 and x64 Service Pack 2
Server 2003 Service Packs 1 & 2
Server 2003 x64 and x64 Service Pack 2
Server 2003 with SP1 and SP2 for Itanium
Non-affected:
Win2K SP 4
Vista & Vista SP1
Vista x64&SP1
Server 2008 32
Server 2008 x64
Server 2008 Itanium
Unethical (Score:3, Funny)
Man, that's just unethical. What's the world coming to?
But look on the bright side - even though honour among thieves is gone, at least the banking world lives on.
Re:Every time Obama opens his mouth... (Score:4, Insightful)
-OR-
Investors, having heard that Obama has the successful in his cross hairs and intends to seize the fruits of their labor and give it to the unsuccessful in the name of fairness, are panicking.
Don't you mean the fruits of other people's labor. Last time I checked investors don't actually produce anything.
Parent
Can I get a better update host? (Score:3, Insightful)
Microsoft isn't exactly the most trustworthy when it comes to automatically installing anything they want on your computer, which is what you suggest. There doesn't seem to be a checkbox for "only fix security flaws" in Windows Update. I find I still have to sift through the options manually.