"Dasher" Worm Brings Christmas Keylogger

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

but the advisory says...

[erikus]

SP2 is affected too.

From the advisory link:
Affected Software:

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update

...

Easily filtered

[Valdrax]

Well, if it's from China, it might be an attempt to get sensitive government info. If that's the case, then you could start by filtering down to only keystrokes from .gov & .mil domains. Then it's a matter of looking for short, 6-12 letter words separated by mouseclicks or presses of the enter of tab keys. For the good stuff, look for words that contain a non-alphabetical characters.

This won't get you into systems with multi-factor identification (like a Secure ID-based password), but it can get you the financial and personal data for government workers who might be subvertible as spies through blackmail, extorsion, or just through a simple offer to help them through a financially difficult time. (This is one reason why your credit history is an important part of getting security clearance.)

Of course, if you're just looking for financial data to rob people indiscriminately instead of something far more sinister, you can look for sections of text starting with people entering URLs for banks and so on. It's not that hard to write scripts to troll through this sort of data using simple shell scripting or Perl. As someone who works at a telecom company, let me just say that grep'ing through gigs of text data for particular strings (like a phone number in a transaction record) only takes a matter of a few minutes. It's something for which you open up Slashdot to read a single article and then come back.

No, sifting through this kind of data wouldn't be a technical or resource challenge in the slightest. Receiving and storing it would be the hardest part of the whole operation after actually writing the code to take advantage of the exploit. Extracting data from text files is monkey work.