Keyloggers under the microscope
A team assembled by honeynet specialist Thorsten Holz from the University of Mannheim has published a case study of banking trojans, keyloggers and their dropzones. The researchers observed a variety of malware and their activities over an extended period and discovered over 33 GBytes of log files in the dropzones of over 70 different data-stealing pests.
The log files contained personal information on more than 170,000 victims, including passwords, PINs, user names, and so on. They also contained information, including PINs, on over 10,000 bank accounts, over 140,000 email passwords and the access details of nearly 80,000 members of social networking sites such as Facebook and Hi5.
The more popular keyloggers are likely to have a hard time with bank accounts in some countries, such as the Netherlands, Germany and South Africa, as their customers are required to use two factor authentication, with a Transaction Authentication Number (TAN) as well as a PIN. Although in theory these can also be logged, new TAN procedures prevent criminals from using a stolen TAN for fraudulent purposes. Some UK banks also use two factor authentication at least for account sign-in, for example by choosing random letters entered by mouse click from a secondary pass phrase.
The team singled out the Limbo keylogger for detailed analysis. They observed a total of 164,000 infections with this malware. The keylogger stored most of the data it collected in two Chinese drop zones. Geographically this broke down as; 16 per cent of the infections were traced to Russia, 14 per cent to the USA, 13 per cent to Spain, 12 per cent to the UK, and surprisingly, 7 per cent to Germany.
The researchers also discuss the resale value of stolen data in the 22-page study. Depending on its liquidity, the going rate for a bank account is anything between $10 and $1,000 US. Credit cards appear to be becoming less desirable – you can buy credit card information for as little as $0.40. Email passwords are more valuable, at between $4 and $30. The complete report "Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones" is available for download.
At the conclusion of the study, the team handed over its data to the Australian CERT (AusCert), which has a system for passing information on to banks and other institutions, who can then inform the victims and take steps to remedy the situation.