Trigger.A - impressive botnet/trojan

the very specific nature of the targets, the way it fixes other malware and the distribution method are what impresses me:

The Tigger Trojan: Icky, Sticky Stuff

A relatively unknown data-stealing Trojan horse program that has claimed more than a quarter-million victims in the span of a few months aptly illustrates the sophistication of modern malware and the importance of a multi-layered approach to security.

When analysts at Sterling, Va., based security intelligence firm iDefense first spotted the trojan they call "Tigger.A" in November 2008, none of the 37 anti-virus products they tested it against recognized it. A month later, only one - AntiVir - detected it.

That virtual invisibility cloak, combined with a host of tricks designed to elude forensic malware examiners, allowed Tigger to quietly infect more than 250,000 Microsoft Windows systems, according to iDefense's read of log files recovered from one of the Web servers Tigger uses to download code.

iDefense analyst Michael Ligh found that Tigger appears designed to target mainly customers or employees of stock and options trading firms. Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.

iDefense said the Trojan is the first known malware to exploit a specific vulnerability Microsoft patched in mid-October 2008. That flaw is what's known as a "privilege escalation" vulnerability, in that it cannot be exploited remotely, and merely allows the attacker to gain access to the almighty "administrator" account in Windows.

That means that even if the user is running the system as I so often advise - under a limited user account that does not have permission to make changes deep within the operating system -- the presence of this unpatched vulnerability on a Windows system would let this invader override that protection.

While running Windows under a limited user account is a key step in keeping your system in its safest state, staying up-to-date on patches -- both fixes for the operating system and third-party software -- is still just as important. I would actually rank anti-virus a distant third protection mechanism, given how poorly most anti-virus tools seem to be faring against the latest malware families.

Read on after the jump for other "fun-fun-fun-fun-fun" facts about the "T-I-Double-Guh-Er" Trojan that hint at its motives and perhaps origin.

Update, Feb. 25, 5:00 p.m. ET: Byron Acohido, the Pulitzer Prize-winning cyber security reporter for USA Today, has published a fascinating yarn about the underground market for customized banking Trojans that is worth a read.

Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles. iDefense analysts say this is most likely done because the in-your-face "hey, your-computer-is-infected-go-buy-our-software!" type alerts generated by such programs just might tip off the victim that something is wrong with his system, and potentially lead to all invaders getting booted from the host PC.

According to iDefense, it also installs a "rootkit" on the infected system that loads even when the system is started up in "Safe Mode," the Windows diagnostic boot sequence that is supposed to disable non-essential Windows components to make troubleshooting system problems easier. A rootkit is a set of tools designed to allow malware authors to better hide their creations in host systems so that they are extremely stealthy and difficult to remove.

Finally, iDefense's Ligh said one aspect of this new Trojan suggests the authors behind the Srizbi botnet may have had a hand in developing or distributing it. As a result of the shutdown of hosting provider McColo in November 2008, the Srizbi botnet -- at the time responsible for sending more than 40 percent of the world's spam -- was cut off from the servers its masters used to control it. But Srizbi had a built-in mechanism to resurrect itself: it told all infected systems to seek out a rotating set of new domain names every few days, names that the bad guys could (and did) use to regain control over the botnet.

According to iDefense, Tigger uses a special key code to extract its rootkit on host systems, a lengthy key that is almost identical to the key used by the domain name generation feature built into the Srizbi botnet.

While the nearly matching keys may be nothing more than a coincidence, it is unusual to find data-stealing Trojans that remove other malicious software, Ligh said. Rather, such features are far more commonly found in bot programs typically used to turn systems into spam relays, such as the Srizbi botnet.

"The scary part is, none of us are really sure how Tigger is even being distributed," Ligh said. "I look at a lot at info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware."

the fixing other malware shit ain't new.

common sense really -- if there's no shit malware loading the system down, users are less likely to realize there's a problem.

oh, i know it's not new.

there were some things like that for the amiga, very poorly executed, usually ending in guru meditation.

it's just the specific nature of the targets combined with that, and the sheer slickness of the whole deal that i think is cool

cool indeed

you want cool??

my friend used to work for a corporate anti-malware company, and his job was largely to analyze/disable some of the new malware they found.

he found one guy in eastern europe somewhere running a botnet. botnet was controlled via IRC, and the commands seemed pretty straightforward, so.... he took it over.

then the owner came onto IRC, started bitching him out for stealing his botnet!!

my friend told him to piss up a flagpole and shut the botnet down.

there was a similar article on /. a while back

dude reverse-engineered a trojan within a virtualized machine

he hacked the virtualized hosts file to redirect everything to a port on a linux machine in his network

from there he used a port sniffer or some shit and got a username and pass for an irc channel

and when he logged in there was about a zillion bots sitting there awaiting his command

the screenshots were awesome in a nerdy way

edit: corrected some minor details

  kaini said:

there was a similar article on /. a while back

 

dude reverse-engineered a trojan within a virtualized machine

he hacked the virtualized hosts file to redirect everything to a port on a linux machine in his network

from there he used a port sniffer or some shit and got a username and pass for an irc channel

and when he logged in there was about a zillion bots sitting there awaiting his command

 

the screenshots were awesome in a nerdy way

 

edit: corrected some minor details

could be him!! this was, um, summer 2007 maybe?

i read the article about a month ago, but the way stuff gets recycled on slashdot, who fucking knows.

this guy won a cash prize as part of a thingy sponsored by that virus, norton - only seven people submitted entries worthy of consideration iirc

okay, i don't think he won anything from norton.

  On 9/21/2011 at 3:05 AM, Jonas said:

I know fuck all about this shit, but I came across this thread searching for 'rootkit' as I have a virus atm messing up my system. Some diagnostic tool called gmr says 'whistler@MBR', which nerd can I punch for making this?

http://forums.majorg...ad.php?t=235058

  On 3/3/2009 at 11:12 PM, kaini said:

oh, i know it's not new.

 

there were some things like that for the amiga, very poorly executed, usually ending in guru meditation.

it's just the specific nature of the targets combined with that, and the sheer slickness of the whole deal that i think is cool

there were viruses for the amiga? i know nothing about it

edit: like this?