Monster trojan steals job candidates' data [Update]

Security services Symantec and SecureWorks have discovered a trojan which uses recruiters' Monster.com access credentials to retrieve potential candidates' personal data. The trojan spreads via email attachments and web pages exploiting web browser and other software vulnerabilities. The US media also report advertising which injects malicious code into victims' systems at Monster.com.

The trojan Infostealer.Monstres (Symantec) and PrgTrojan (SecureWorks) was created using a software toolkit. It uses its own new runtime packer and masks its malicious code using several different techniques, for example by replacing simple operations with long, elaborate calls. This is aimed at evading detection via signatures or heuristic antivirus scanning. Compromised systems send the accumulated data to the servers via proxies, which makes the actual servers difficult to find. The stolen data is stored in encrypted format to prevent third party access.

The trojan hooks itself into several system functions and hides using root kit techniques. It also monitors internet communication by hooking itself into the Winsock library and in WinInet.dll. It retrieves data transmitted via secure SSL from memory in unencrypted form and sends it to the malicious servers.

Infostealer.Monstres uses stolen access credentials to the recruiters' pages at Monster.com to collect the personal data of job candidates. It retrieves the data via the sub domains hiring.monster.com and recruiter.monster.com, thereby targeting mainly English speakers. The malware obtains, for example, social security numbers, account information, names and addresses, phone numbers, email addresses as well as user names and passwords.

Symantec found more than 1.6 million entries belonging to several hundred thousand job candidates who are apparently located mainly in the US. The trojan can also send spam. Symantec established a connection to the malicious GPCoder which encodes the data on the victim's hard disk and solicits a ransom. Phishing emails purporting to come from Monster.com and containing GPCoder as an attachment have allegedly been sent to job candidates by the perpetrators of this attack. These phishing emails contained personal data of victims and looked very similar to authentic emails by Monster.com.

Users can protect themselves against malware of this kind in the usual way: Install all available updates for operating systems and software, use an up-to-date antivirus solution, and don't open attachments of unexpected emails or follow any email links. Further information about protection against malware can be found on the heise security antivirus pages.

Update:
The Times has suggested that the data leak may have included details of up to 3.2 million Britons, located on Monster servers in the US.

(mba)