"Dasher" Worm Brings Christmas Keylogger

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

but the advisory says...

[erikus]

SP2 is affected too.

From the advisory link:
Affected Software:

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update

...

Not quite...

[DogDude]

I know that all of my home machines, and all of our business machines are all Windows 2000. I know that a *lot* of businesses stopped with Windows 2000 because there's no real compelling reason to go to XP. Although, since it was fixed more than two months ago, there's really no reason for anybody not to have installed that patch by now.

Bugs?

[bsdluvr]

...the first version of this worm, which apparently was crippled by programming errors...

Worms with bugs?

Easily filtered

[Valdrax]

Well, if it's from China, it might be an attempt to get sensitive government info. If that's the case, then you could start by filtering down to only keystrokes from .gov & .mil domains. Then it's a matter of looking for short, 6-12 letter words separated by mouseclicks or presses of the enter of tab keys. For the good stuff, look for words that contain a non-alphabetical characters.

This won't get you into systems with multi-factor identification (like a Secure ID-based password), but it can get you the financial and personal data for government workers who might be subvertible as spies through blackmail, extorsion, or just through a simple offer to help them through a financially difficult time. (This is one reason why your credit history is an important part of getting security clearance.)

Of course, if you're just looking for financial data to rob people indiscriminately instead of something far more sinister, you can look for sections of text starting with people entering URLs for banks and so on. It's not that hard to write scripts to troll through this sort of data using simple shell scripting or Perl. As someone who works at a telecom company, let me just say that grep'ing through gigs of text data for particular strings (like a phone number in a transaction record) only takes a matter of a few minutes. It's something for which you open up Slashdot to read a single article and then come back.

No, sifting through this kind of data wouldn't be a technical or resource challenge in the slightest. Receiving and storing it would be the hardest part of the whole operation after actually writing the code to take advantage of the exploit. Extracting data from text files is monkey work.

Re:Impractical amount of data?

[teslar]

I think you're much less likely to get hit by a keylogger running Linux than Windows, and that you're 100% less likely to get infected by this keylogger. Linux isn't perfect, but the more people use it the better it gets

Mmmm... I can only really agree with you on the 100% point concerning this particular keylogger.

For the rest.... I think it would be pretty easy for me to write a little useful app, which also happens to log all your keystrokes and just release it, maybe package it as a .deb and .rpm and just mass-distribute it. Sure, I'll be found out, but not straight away and I can do a lot of damage in the meantime. The beauty is, I could even release the source of the entire app and the chances that someone will go through it and find the keylogger are pretty slim. I could probably name a couple of files keylogger.c and backdoor.c and it'll go undetected for a lot of people.
The people that do find out will of course spread the word very quickly in their circles, but the people that do not find out are not likely to be in those circles - newbies in particular, running Ubuntu or Suse and not very sure about how all this linux thing works will be a good target. I think on the whole, it would go undetected and unfixed pretty much on a same timescale as a Windows worm. Damages will be limited due to a lesser distribution and not running as root, but they will be there.

The last point you mention, linux getting better as more people use it, I find very hard to believe at all. I see what you mean - linux will get better as more developers, i.e. serious professional programmers who know what they're doing, join but not as more people just use it. I'm pretty willing to bet, that of 10 new linux users, 1 will try to improve it, 3 will have an in-depth interest, unafraid to recompile their kernel or to try things out, but the rest will be your Joe Average, finally convinced by his geek friend that he should use it instead of Windows. He will not change his default configuration that came with his user-friendly distro, he will certainly not know of, or touch any configuration file, and if you say that you have an application which automagically crawls the net for Anna Kurnikova pics, he will download and install it The more people switch to linux, the higher the number of absolutely clueless people will be. This won't make linux worse or better, but it will increase the number of targets for malicious people.

So, in summary, I do think it would be relatively easy to install a keylogger on other people's machines and the more people use linux, the easier it will become to achieve a significant spread.