In association with heise online

23 March 2007, 13:50

Anatomy of a trojan

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Just in time for the "underground economy" described in Symantec's Internet Security Threat Report, security service provider and software vendor SecureWorks has published a detailed analysis of a Windows trojan. The trojan described is able to read SSL connections, and the analysis also provides useful insights into the strictly organized flows in the distribution of stolen data.

For instance, those who purchase the trojan also receive database software to archive stolen data on a server. In addition, an interface is provided to make it easier for potential customers to look for stolen data online according to certain criteria and make a purchase. According to SecureWorks, a management interface also allows for various prices to be defined for different accounts. And if customers require web space to do their dirty work, they need look no further.

The trojan itself has a modular structure and allegedly includes root kit functions to protect itself from access by virus scanners. SecureWorks estimates that the particular variant they studied has already infected 5,200 PCs and collected data from 10,000 accounts. When 30 virus scanners took their first shot, none of the products were able to find anything suspicious based on the signature, though some of them did warn about a contaminant based on heuristics, but only because the file had been compressed with the packer generally used by virus authors. In the meantime, detection rates have improved, but SecureWorks found that five of them still fail to detect the malware.

The Trojan connects to Winsock2 functions so it can monitor data traffic even if it is encrypted later with SSL for transmission over the network. The Trojan goes by a number of names – such as Agent.AVV, Small.BS and Ursnif.AG – and reportedly penetrates PCs through a vulnerability in Internet Explorer.

SecureWorks says it has informed investigators about the case and has also enlightened unsuspecting hosts of the database server, which is generally found on hacked Web servers. To protect data from being lost, SecureWorks somewhat unsurprisingly recommends using intrusion detection systems – after all, the vendor sells IDS solutions itself.

However, the best thing for most users to do is secure their own web browser. To find out how to do so, you can visit the c't Browsercheck, among other things.

For more information, see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit