Forgot your password?
typodupeerror
Security The Almighty Buck

Tigger.A Trojan Quietly Steals Stock Traders' Data 212

Posted by kdawson
from the where-the-money-is dept.
**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."
This discussion has been archived. No new comments can be posted.

Tigger.A Trojan Quietly Steals Stock Traders' Data

Comments Filter:
  • by bugs2squash (1132591) on Tuesday March 03, 2009 @04:39PM (#27056745)
    more effective that the antivirus I use today
    • by Anonymous Coward on Tuesday March 03, 2009 @04:55PM (#27056973)
      And much, much more effective than your English class.
    • by alvinrod (889928) on Tuesday March 03, 2009 @04:56PM (#27056995)

      If only there were a similar piece of malware in direct competition with this particular trojan such that both would attempt to remove the other and successfully do so.

      It is interesting how malware is adapting so that not only is it able to spread more quickly to a larger number of machines, but also that it's attempting to increase its lifespan by killing off other malware so that the host may not notice that it's infected. I wonder how long it will be until a particular program updates a virus definition list or something similar to remove all other competing malware programs as they come into existence. Also, how much better will the malware be at quickly patching machines against new zero-day exploits than actual virus scanning and prevention software?

      • by DigitalCrackPipe (626884) on Tuesday March 03, 2009 @05:46PM (#27057653)
        I wonder how long it will be until a particular program updates a virus definition list or something similar to remove all other competing malware programs as they come into existence
        Such a malware product exists... it's called McAfee, and while it's not very good it does convince lots of people to pay money for it.
        • by EdIII (1114411) *

          Yeah, it's nice to attack McAfee, but what is YOUR alternative?

          I had to stop using and installing Norton since it made systems unstable and crash. It was a resource nightmare. I had less problems once I installed McAfee. Of course, I was never under the delusion that it could catch everything, but it was better than nothing.

          Sincerely, if you have something against McAfee and it is not a good product, then what is your solution to Antivirus on the desktop and your gateways?

          • by rts008 (812749)

            NOD32, AVG, and Avast are 3 that I have recommended to Windows users for the past several years. My own antivirus solution is Kubuntu and common sense, which has worked painlessly for 6 years now.

    • Re: (Score:3, Insightful)

      by amclay (1356377)
      Probably not. Tigger removes adware/spyware, and not all spyware even then. Viruses are different than your typical spyware. There's a whole host of things that are different than spyware that I'm not going to clarify, but don't go around thinking Tigger is some sort of anti-virus because it's not.
    • by transporter_ii (986545) on Tuesday March 03, 2009 @05:42PM (#27057603) Homepage

      You use Antivirus 2009, too? Cool.

  • Oblig... (Score:5, Funny)

    by 8127972 (73495) on Tuesday March 03, 2009 @04:39PM (#27056747)

    Does it make your computer bounce up and down on its tail too?

  • by bugs2squash (1132591) on Tuesday March 03, 2009 @04:42PM (#27056783)
    I though the most wonderful thing about Tiggers was that there was only one of them
  • by Anonymous Coward on Tuesday March 03, 2009 @04:46PM (#27056825)

    Stocks are going down. Don't buy stock.

  • So basically somebody needs to take out that whole "stealing your data" part from this worm and re-release it back into the wild and it would be a good thing?
    • Re:Hmm... (Score:5, Interesting)

      by interiot (50685) on Tuesday March 03, 2009 @04:54PM (#27056945) Homepage
      Benevolent worms are a perennial suggestion in computer security, and the conclusion is always no no no no [schneier.com].
      • Benevolent worms would have to be better than malicious ones. I mean, seriously. Benevolent worms might trash someone's life's work, but in that same time it's going to save a few other people's life's work.

        • Re: (Score:3, Interesting)

          by Abreu (173023)

          "If you must have crime, at least it should be organized crime..."
          Attributed to the Patrician of Ankh-Morpork

          • "If you must have crime, at least it should be organized crime..."

            That's what governments are for. At least for fairly low values of "organized".

    • by Chabo (880571)

      Yeah, but I don't trade stocks, so I'll start using it now. I mean, nuclear secrets look nothing like stock information, right?

    • Re:Hmm... (Score:4, Funny)

      by oldspewey (1303305) on Tuesday March 03, 2009 @05:21PM (#27057317)

      I'm okay with this worm stealing data so long as it put a little more effort into it: you know, it could introduce itself as Prince Leta Matobo living in exile in Ghana, spend some time building up a rapport, and then start making suggestions about making billions of dollars using 100% guaranteed modalities.

      This automated stealing of data is just bullshit.

      • This automated stealing of data is just bullshit.

        Because it steals work from the Nigerian princes and prime ministers?

  • by dov_0 (1438253) on Tuesday March 03, 2009 @04:50PM (#27056883)
    ..does it run on Linux?
    • Sadly, the answer is again no. I'm beginning to think that we will never see the year of Linux on the desktop at this rate.
      I've even installed Internet Explorer 6(ies4linux), and not a single drive-by install was successful, but at least attempts were made. *sigh*
      Hell, I've even tried getting some of the latest malware to run with WINE, but no such luck.(did see some fascinating garbled screen effects and some bizarre error messages though!)
      Won't someone think of the penguins?
      *sarcasm off*

      This is one aspect

  • Attacks like this, namely single vector and single target, point to a single person or small number of persons who have found some way of using the data to profit themselves. We're probably looking at someone in their late 20s, based in the United States(cursory examination -- appears the institutions are all english and based in the US), upper middle class, 5-7 years experience programming (self-explanatory), single, male, and with a history of mental health disorders along axis IV, socially under-develope

    • by oldspewey (1303305) on Tuesday March 03, 2009 @05:03PM (#27057067)

      find someone who was recently in debt, and is now very much out of debt

      Agreed, let's go after the bailout recipients.

      • Re: (Score:3, Interesting)

        Agreed, let's go after the bailout recipients.

        No. It should be assumed this person has familiarity with those systems, in order to develop the code. Acting alone (highly probable), that means he likely has/had accounts with many if not all of those financial service providers. That grossly limits the number of available suspects. His industry and age also narrow the list even further. That probably leaves perhaps 10k worth of potential suspects in the pool. I'd be guessing, but he probably hopes to convert the stolen accounts stocks to cash, launder it

        • by commodoresloat (172735) on Tuesday March 03, 2009 @05:33PM (#27057495)

          Link it with possible terrorism to bypass the usual rules that would prevent a dragnet, and chances are good you find your man. At least, that's how I'd investigate.

          Well then thank goodness you're not investigating. Crap like this is the exact reason many of us were outraged at the Patriot Act and similar legislation; back in 2001-2 we argued that such legislation would become an easy way for investigators to ignore the Constitution for a host of other crimes. There's been plenty of evidence of that happening already, but it's rare to see someone openly advocate such an abuse of law -- usually, in fact, conservatives defended these laws by saying they would never be used against anyone but the most dangerous international terrorists.

          • by NeutronCowboy (896098) on Tuesday March 03, 2009 @05:41PM (#27057597)

            I was about to post the same exact words. The analysis is completely faulty, based on some incredibly vague and unrelated statistics, and the call to action includes zero verification of those assumptions. Narrowing the US population to the specified profile would probably provide a single hit, but that hit would also almost certainly not be related to the trojan. That's because this is a pure case of garbage in, garbage out.

        • "the one who is making all of the feverish accusations usually is the culprit"

          <sunglasses/>

          YEAAAAAAHHHHHHH

        • by gad_zuki! (70830)

          At least, that's how I'd investigate.

          Err thats why youre a semi-anonymous poster on a web board known for its biases and natalie portman jokes and not in law enforcement. Unlike Americans, Russians and Chinese hackers speak and read more than one language. The idea that this must be a white guy in the suburbs who was just laid off is naive. The possibilities are pretty huge. Not to mention the historic arrests for this kind of thing turns out to be non-americans. Anything is possible but if you profiled me,

          • Err thats why youre a semi-anonymous poster on a web board known for its biases and natalie portman jokes and not in law enforcement.

            Actually, it's mostly populated by computer geeks, and every group is well-known for its biases, that's how a group defines itself. It's not well known for it's natalie portman jokes--well, I haven't seen any, at any rate, and if there are jokes about that actor, it's purely a community thing, not what slashdot is known for -- which is having a large base of computer geeks and posting on topics that interest them. And geeks (strangely enough!) tend to have interests in all things technical, medical, or just

            • It's not well known for it's natalie portman jokes

              That's simply because you haven't been around long enough. You presume a lot for someone who doesn't much history.

            • by rts008 (812749)

              The United States practically pioneered financial fraud, which logically follows since we have the most developed economy in the world, and other countries come here to learn how to structure their financial institutions, not the other way around.

              That is one of the more ill informed statements I have seen in a while.

              Pioneered financial fraud? It was already an art form before anyone but (relatively few) Native American Indians knew this continent existed. We may(or may not-I don't know) have pioneered finan

    • Considering the thousands of highly skilled programmers who are now out of a job and who also probably worked on financial systems and who also have a very detailed understanding of the Win32 subsystems, I'm not surprised.
    • by olddotter (638430)
      Yea, because international criminals don't think "I'd like part of that $17 Trillion market in the US. I figure a good bit of online fraud is international organized crime. Is that wrong?
    • dude (Score:5, Funny)

      by circletimessquare (444983) <<moc.liamg> <ta> <erauqssemitelcric>> on Tuesday March 03, 2009 @05:12PM (#27057221) Homepage Journal

      you just described the entire slashdot demographic

      • you just described the entire slashdot demographic

        By the time I was 30 I had 15-20 years experience programming, not 5-7. And not everybody works closely enough with financial systems to think to pull this off.

    • Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively

      When you are talking about stocks, laundering the money is easy. Simply buy some options in a particular stock with your own money and have your botnet purchase that stock with other people's money. If your botnet makes the trades quickly enough (it probably will) the stock's price will go up and the value of the options will follow exponentially. Sell the options near the top and reap the rewards.

      They will never find this person among all of the trades on Wall Street.

      • You're making a critical assumption -- that this guy is financially savvy, not just technically savvy. He may understand the value of stocks, but trading stocks and making a profit at it is entirely another set of skills, and he'd need money to blow to learn that skill in the first place... Which begs the question of -- why steal illegally what you can manipulate away from someone legally? There's a threshold of knowledge here -- he knows a lot about technology (the code speaks to this), but the fact that h

        • by Thelasko (1196535)

          You're making a critical assumption -- that this guy is financially savvy, not just technically savvy.

          You don't have to be financially savvy to know about pump and dump, [wikipedia.org] it's the plot of a stupid movie. [wikipedia.org]

          Besides, why would this person target stock trading websites and not banks?

        • by X0563511 (793323)

          Who's to say someone is actually profiting from this?

          If I had the skills and a lack of inhibitions, I would put out something like this simply to cause a panic.

          I'm glad I'm not that person, 'cause that would be a shitty thing to do.

    • by johnsonav (1098915) on Tuesday March 03, 2009 @05:14PM (#27057241) Journal

      Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure.

      I would imagine the guy who wrote this isn't working alone. Most of these kinds of attacks aren't meant to directly transfer money from the victim's brokerage account to an account controlled by the attacker.

      They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.

      The hard part about catching the perpetrators is sifting through the list of all the people who sold the stock at the inflated prices. A bunch of people make money from a scam like this, but only one is the criminal.

      • They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.

        Okay, sounds like your classic pump-and-dump, but let's ignore that for a minute.

        Whether he's working alone or in concert with a group of criminals, first. The probability of success is an inverse of the number of people involved in criminal enterprise. That is to say, the more people there are;
        (a) the more likely mistakes are made that can expose the individual and/or group,
        (b) the more likely for political issues to form within the group that tear it apart (and raising the chance of someone coming forward

        • The probability of success is an inverse of the number of people involved in criminal enterprise.

          And yet organized crime still exists, in the US and abroad. If this is a pump-and-dump type scheme, it's almost certainly being financed by an organized crime syndicate somewhere. It takes money to make money, in this instance.

          You are correct that these schemas are difficult by simply viewing trading transactions, because the missing piece of the puzzle is communication between the participating parties, directly or otherwise.

          The only thing the attacker needs from the victim are the login details(username and password) to their brokerage accounts. After that, the criminals can access those accounts from anywhere in the world. Or, they can use the rootkit from the virus to originate those transactions from

        • I guess the perpetrators might be found by correlating the buyer/seller data from a number of cases where fraud is reported.

          The perpetrators could try to make this more difficult by making the data harder to correlate; pump some stocks that they don't buy or sell, pump some stocks, but intentionally sell outside the obvious window of opportunity, possible at a (small) loss, using multiple, unrelated accounts to buy and sell the stock, etc.

          That way, the detectives have to try to find multiple unrelated perpe

    • Nice profile, but I was disabused of the reliability of profiles by Lee Boyd Malvo and John Allen Muhammad.

      -Loyal

    • "find someone who was recently in debt, and is now very much out of debt."

        You mean like most US companies that just got bailed out by the government?

        Good luck with that.

    • Re: (Score:3, Insightful)

      by greymond (539980)

      Someone likes their CSI

      • Someone likes their CSI

        Someone worked for one of the few fortune 500 companies with not one, but two digital forensics laboratories.

    • by NeutronCowboy (896098) on Tuesday March 03, 2009 @05:28PM (#27057419)

      Err, no. You might have the most likely demographic right, but that's just because they contain the majority of crackers. As for the debt, it is very unlikely someone in that demographic managed to accumulate a lot of debt.

      What I'm pretty sure you got completely wrong is the acting alone part. You do not profit of this kind of targeted scheme by working alone. You either have a taskmaster who requested this info, or you know the people who will be able to profit from this info.

      Really, nice try, but I'm pretty sure you have no idea who the crackers really are, and how they operate. I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.

      • Re: (Score:3, Interesting)

        I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.

        And yet you don't state your qualifications. Well, here's mine: I have been in information technology for eleven years, have done network and system administration at the enterprise level, and have assisted investigators tracking down so-called "hackers". I also have about four years of programming experience, mostly to support the aforementioned. I also have spent a significant portion of my professional time learning digital forensics, taking apart malware kits, and have friends that do skip-tracing profe

        • Well, since you're talking qualifications... I've worked in IT for 9 years, have done network and system administration at the enterprise level, have organized IT departments, instituted security and monitoring policies and worked in classified government installations. I've done enough programming to know my way around applications that run over LAN or WAN. I've studied psychology and have enough friends in that area to know what a proper assessment is and what isn't. I know at an enterprise level who the

    • by gringer (252588)

      Are you, perchance, describing yourself?

    • by mgblst (80109)

      I think we can do better than this.

      He is 28-29, brown eyes/ brown hair, slightly overweight, with a tattoo of winnie the pooh on his upper right thigh. Because the gf he had for 1 month really liked it. Oh, and he likes tweetos and 7up, and hasn't changed his undies in 3 days.

    • Attacks like this, namely single vector and single target, point to a single person or small number of persons who have found some way of using the data to profit themselves. We're probably looking at [description of nerd deleted]

      ORLY?

      Sounds more to me like a "Spear Phishing" operation - in this case espionage against financial institutions.

      Spear-phishing has been used by detective agencies for corporate espionage before. But the tie-in to an existing piece of malware, the highly-developed stealth and ant

  • time for 2-factor (Score:4, Insightful)

    by Lord Ender (156273) on Tuesday March 03, 2009 @04:55PM (#27056989) Homepage

    It is time for online financial institutions (brokerages and banks) to require real 2-factor authentication to log in to their sites. When I sign up for a bank account, I want them to mail me an ATM card with an embedded smartcard chip, along with a cheap USB smartcard reader. Alternatively, send a one-time-passphrase device like SecurID.

    This may be a little expensive up front, but it would cut down on enough fraud that it might pay for itself.

    • Re: (Score:3, Insightful)

      by Darkness404 (1287218)

      I want them to mail me an ATM card with an embedded smartcard chip, along with a cheap USB smartcard reader.

      Thats just fine, but they most likely won't release drivers for it for anything other than Windows and perhaps OS X, so any BSD, Linux, or other alternate OS user gets left out.

      Secondly, it would be trivial for an attacker to put in compromised drivers in the system that reads out all the secure info and forwards it to his website where he can duplicate all the secure keys and such.

      • Secondly, it would be trivial for an attacker to put in compromised drivers in the system that reads out all the secure info and forwards it to his website where he can duplicate all the secure keys and such.

        First of all, smartcard reader drivers exist for linux. The aren't complex devices.

        Second, you have no idea how smartcards work. The private key never leaves the chip.

    • Re: (Score:3, Informative)

      by oldspewey (1303305)
      I thought some of the online brokerages were already using SecurID (or similar) authentication?
    • by pz (113803)

      This may be a little expensive up front, but it would cut down on enough fraud that it might pay for itself.

      Or have customers pay for their own passphrase-generating device, like PayPal did.

    • they give you a little red dongle, and everytime you log in, you have to enter a 6 digit number you read from the dongle's screen after pushing its button

      its annoying because i'm always misplacing the dongle

      but every time i hear a story like this one, i begin to appreciate the extra effort

      and that's really why you don't see more widespread adoption of things like this dongle: people favor convenience over security. i can see plenty of people whining about the dongle and banks worrying about losing customers

    • My bank offers me the RSA SecurID feature for $20. It also offers me identity theft protection for free, with no deductible.

      I have several RSAid's, one per site I use. Why can't I have just one and have RSA the hosted SecurID Management site, like openID?

  • Interestingly the Tigger trojan actually goes to the trouble of removing other more 'intrusive' malware that Anti-malware products currently detect in order to keep a low profile.
    This makes me wonder just how widespread it could be.
  • And... (Score:2, Funny)

    by Anonymous Coward

    ...nothing of value was lost.

  • Version 2.0 (Score:5, Interesting)

    by russotto (537200) on Tuesday March 03, 2009 @05:10PM (#27057193) Journal

    Version 2.0 won't just steal data. It'll make trades. Aside from the obvious theft possibilities, the controller would have the ability to create his very own economic meltdown, in any companies he wished, limited only by the size of his botnet...

    • Re: (Score:3, Interesting)

      by mgkimsal2 (200677)

      If it's too blatant ("meltdown") trading will just be halted. Better to be small about it. Buy stock X. Start doing a few hundred buys against a small stock from various PCs, run up the price, sell stock X, keep profit. Not much different than the email scams that try to pump up penny stocks, except in this case rather than just trying to get someone to buy it, you'd just buy it from their account for them.

      I've often wondered when viruses would start getting smarter. A virus that simply changed some of

  • by solder_fox (1453905) on Tuesday March 03, 2009 @05:12PM (#27057217)

    It would be nice if they had a list of Antivirus programs that were effective and/or operating systems affected, nice and prominent somewhere linked from the article.

    FYI, from the security bulletin:

    Affected software:
    XP Service Pack 2 & 3
    XP Pro x64 and x64 Service Pack 2
    Server 2003 Service Packs 1 & 2
    Server 2003 x64 and x64 Service Pack 2
    Server 2003 with SP1 and SP2 for Itanium

    Non-affected:
    Win2K SP 4
    Vista & Vista SP1
    Vista x64&SP1
    Server 2008 32
    Server 2008 x64
    Server 2008 Itanium

    • seeing as the submitted didn't link it (or the 'editors' removed it?)

      http://www.microsoft.com/technet/security/bulletin/MS08-066.mspx [microsoft.com]

      Just to note from that security bulletin:
      Published: October 14, 2008
      Updated: January 13, 2009

      This has already been patched for some time. Yes, I know, some are wary of installing patches in case they bring on some other issues, so one word of warning: if you use ZoneAlarm (by jove, why? WHY WHY WHY??), be sure to read the 'list of known issues after applying this patch':
      http: [microsoft.com]

    • by Sfing_ter (99478)

      the month is just beginning - and MS invariably opens more holes - they have the patent on Whack-A-Mole coding.

  • Insider Trading (Score:2, Interesting)

    I wonder if how the virus was spread could give clues to "who knows who"? IE: Did all the machines infected at ScottTrade start from a single intrusion, or was there some type of sharing of data between ScottTrade and TD Ameritrade? Not necessarily illicit, but seeing formal and informal alliances.
    • by Vancorps (746090)
      Of course I also wonder if it has anything to do with the fact that I've been seeing a lot of job postings at the trading firms involved lately.
  • Unethical (Score:3, Funny)

    by Hognoxious (631665) on Tuesday March 03, 2009 @06:34PM (#27058165) Homepage Journal

    Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles...

    Man, that's just unethical. What's the world coming to?
    But look on the bright side - even though honour among thieves is gone, at least the banking world lives on.

  • Hey, that's "good" malware! It gets rid of all those nasty popups, where can I get myself infected?

    (don't laugh. It just ain't funny)

  • Over at apple.slashdot.org people are whining about paying a few hundred dollar premium for a mac. To me, avoiding trojans and malware is certainly worth that money.

    Ya, i know, i could run linux for a lot cheaper and avoid all the windows virus business also. But for the average user who wants things to *just work* it seems pretty clear that the time saved in not having to deal with crap like this is certainly a good reason to avoid windows.

    Or you could just turn on your firewall and keep your machin

There are never any bugs you haven't found yet.

Working...