A sign of things to come in credentials theft malware
A new Trojan designed to steal banking credentials has been analysed by SecureWorks. It turns out to be a member of a growing population of credentials theft tools that act as Layered Service Providers (LSPs), inserting themselves into the user's connection to the internet to steal or modify information. But this one has an extra twist in the tail.
An LSP is a Winsock 2 Service Provider Interface mechanism whereby a legitimate service such as a personal firewall can insert itself into the TCP/IP stack. Once in place, the service can monitor and manipulate TCP/IP traffic. However a malicious service can do the same, sending selected data to an external malicious target.
Combined, these various techniques make a strong cocktail. But probably the most worrying specific fact to emerge from this report is the result of an undercover probe conducted by SecureWorks. Within 24 hours of going undercover, the investigator was told to join a secure IRC channel and offered tool kits for between US$1000-2000, including customised versions of the Trojan. This is clearly just a single example of a developing service market for such tools. If these findings and the sophistication of the blended threat used by this example are anything to go by, we will see the prevalence, quality and specificity of such tools continue to increase, and conventional countermeasures such as anti-virus will have their hands full to contain the threat.
- Gozi Trojan, analysis from SecureWorks
- TSPY_AGENT.NYE report on a similar current LSP trojan by Trend Micro