Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Dasher" Worm Brings Christmas Keylogger

Posted by CowboyNeal on from the sneaking-in-through-the-chimney dept.

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

25 of 114 comments (clear)

  1. They do not need to bother by Anonymous Coward · · Score: 4, Funny

    They can just go ask the NSA what is going on.

  2. Impractical amount of data? by PurifyYourMind · · Score: 3, Interesting

    Wouldn't sifting through data from potentially hundreds of thousands of machines (for popular viruses/worms) be difficult-to-impossible? Or maybe there's a way to determine which account are, e.g. admins on large IRC servers or otherwise useful.

    1. Re:Impractical amount of data? by Kijori · · Score: 3, Interesting

      That depends on the resources of the group behind the attack. If this is an individul importing all the data into a database, then yes, it would be nearly impossible for them to make any real headway. If, however, it is a government faction running a pseudo-AI program to sift out useless data before passing it onto a few hundred minimum-wage key pounders, then very large scale breaches are not only possible, but likely. Of course, the programming errors alluded to in the summary suggest the former over the latter, but even so we need to consider the possibilities of a well-funded group using a virus like this to hold large companies to randsom or just to disrupt the internet. Should help drive people to Linux though, so there is a good side.

    2. Re:Impractical amount of data? by tpgp · · Score: 2, Insightful

      Wouldn't sifting through data from potentially hundreds of thousands of machines (for popular viruses/worms) be difficult-to-impossible? Or maybe there's a way to determine which account are, e.g. admins on large IRC servers or otherwise useful.

      I think it would be trivial to write a script to go through the data looking for email addresses & credit card / bank account details.

      I'm sure thats what the author is after....

      --
      My pics.
    3. Re:Impractical amount of data? by Xarius · · Score: 3, Interesting

      You think Linux is somehow immune to keyloggers?

      --
      C17H21NO4
    4. Re:Impractical amount of data? by toadlife · · Score: 2, Insightful

      "The more people use it, the better it gets?" I don't get that train of thought. There are only so many people that can hack on Linux code, and most vulnerabilities in any platform are completely unrelated to the kernel anyway. If a bunch of ignorant people used Linux, it seems to me it would only make Linux what Windows is today - a platform with a huge bullseye on it.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    5. Re:Impractical amount of data? by teslar · · Score: 3, Informative
      I think you're much less likely to get hit by a keylogger running Linux than Windows, and that you're 100% less likely to get infected by this keylogger. Linux isn't perfect, but the more people use it the better it gets

      Mmmm... I can only really agree with you on the 100% point concerning this particular keylogger.

      For the rest.... I think it would be pretty easy for me to write a little useful app, which also happens to log all your keystrokes and just release it, maybe package it as a .deb and .rpm and just mass-distribute it. Sure, I'll be found out, but not straight away and I can do a lot of damage in the meantime. The beauty is, I could even release the source of the entire app and the chances that someone will go through it and find the keylogger are pretty slim. I could probably name a couple of files keylogger.c and backdoor.c and it'll go undetected for a lot of people.
      The people that do find out will of course spread the word very quickly in their circles, but the people that do not find out are not likely to be in those circles - newbies in particular, running Ubuntu or Suse and not very sure about how all this linux thing works will be a good target. I think on the whole, it would go undetected and unfixed pretty much on a same timescale as a Windows worm. Damages will be limited due to a lesser distribution and not running as root, but they will be there.

      The last point you mention, linux getting better as more people use it, I find very hard to believe at all. I see what you mean - linux will get better as more developers, i.e. serious professional programmers who know what they're doing, join but not as more people just use it. I'm pretty willing to bet, that of 10 new linux users, 1 will try to improve it, 3 will have an in-depth interest, unafraid to recompile their kernel or to try things out, but the rest will be your Joe Average, finally convinced by his geek friend that he should use it instead of Windows. He will not change his default configuration that came with his user-friendly distro, he will certainly not know of, or touch any configuration file, and if you say that you have an application which automagically crawls the net for Anna Kurnikova pics, he will download and install it The more people switch to linux, the higher the number of absolutely clueless people will be. This won't make linux worse or better, but it will increase the number of targets for malicious people.

      So, in summary, I do think it would be relatively easy to install a keylogger on other people's machines and the more people use linux, the easier it will become to achieve a significant spread.
  3. It could always be worse... by Ruff_ilb · · Score: 3, Insightful

    Most of the desktops that I know that run Win2k are run by schools, universities, etc. I haven't seen someone's PC running win2k yet. Also, these desktops (the ones run by schools, at the library, etc) are usually either (A) very secure or (B) no one expects them to be secure. So this could be worse, I think.

    This could be a major problem if it infected SP2 computers.

    --
    http://www.TheGamerNation.com/Forums
  4. Convenient? by Jynx97 · · Score: 5, Interesting

    Didn't I just read somewhere that Microsoft was upset with the penetration of SP2 for Winxp?

    The next day an article comes out saying that only SP2 will save you!

  5. Watch out by Anonymous Coward · · Score: 4, Funny

    If Fox News finds out some people are calling it a Holiday Keylogger, there could be hell to pay.

  6. but the advisory says... by erikus · · Score: 5, Informative
    SP2 is affected too.

    From the advisory link:
    Affected Software:

    Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update

    ...

  7. Oh What Fun by MrNonchalant · · Score: 2, Funny

    A holiday keylogger called Dasher. Could we call whoever wrote this a scrooge? Howbout a grinch? The cuteness doesn't stop here folks!

  8. My answer to Key loggers by Anonymous Coward · · Score: 5, Funny

    I write some PERL using Vim

    Keylog THAT if you dare

    1. Re:My answer to Key loggers by JackDW · · Score: 2, Insightful
      vi is the only surviving editor that has a protocol instead of a user interface. The datastream moving from your brain to the file on disk is about as compressed as it can be. All the commands are minimalist (most are single-key), you never need to use the mouse, there's built-in regex support... No wonder programmers like it: the editor doesn't require you to switch context.

      Unfortunately the datastream produced by vi is very easy to examine - just pipe it into another copy of vi, and there you go. Easier than examining the keystrokes of someone typing in a lesser editor, anyway, as their editing will be punctuated by mouse-clicks and menu events, making analysis tricky.

      Fortunately, if you're able to use vi, you are perfectly able to (a) patch your OS, or (b) use a sensible OS, or (c) both, so who cares?

      --
      You're an immobile computer, remember?
  9. It just hit me by Stan+Vassilev · · Score: 5, Interesting

    Looks like viruses (spread by infecting exe files) are mostly non-existant today, replaced by network-propagated worms..

    And it just hit me that we'd never get any of this if we were not on-line all the time.. Few years ago when the first internet worms were appearing I was like "ahah, just don't stay connected all the time you idiots".

    Now I and the majority of folks around the world are "converted" and hopelessly tied to on-line, making us vulnerable to those attacks.

    How many minutes can you spend offline, before the reflex kicks in and you try to google up some info you need?

  10. Re:Could be worse...Is worse than u think... by RealisticCanadian · · Score: 4, Interesting


    While this still could be worse, you are correct on one thing: Win2k in schools.

    Spent the summer working at a local university. There was superfluous opportunity to embezzle a lot of money; as we were instituting their absolutely awful new HR software--which also meant I got to see how much all the bigwigs and upper-administrators (read: idiots puffed full of their own self importance) made off of hard-working students. (I was brought on as a Data Technician; not support or PC repair or what-have-you)

    When the machines in our semi-secret office (All W2K) were infected with a virus (Don't ask me, I no longer remember, but I went & read the writeup @ symanted then, which told me it was able to cross-propogate through the network once it landed on one machine) I of course decided to quarantine the bastard myself first... I then realized what I had most feared--that these machines were all set up to Track who was using them; but not to actually restrict Anyone from Anything. Thats right, Joe Schmoe user could do anything he wanted; from registry-hacking to whatever your heart desired.

    So; I managed to isolate this guy and the three other viruses that were wandering through the War-Room (thats what we called it); but I didn't purge, at this point I was too intrigued, so I summoned the IT guys.

    4 hours later ONE guy (who looks like a plumber, and not even Mario) shows up, and begins, well, piddling (there's no other word for it.... he threw in an admin password and started checking completely unnecessary settings, then attempting to read the reports that their Tracking software creates, presumably to get to the root of the problem) with the machines after pretending he doesn't need me to tell him what I've done so far. His expression gets more and more bored, and after about another hour and a half, he tells my boss (one of them aforementioned admin-types) that he can't find anything wrong, and she should watch 'that new guy'.

    I'm pretty sure they heard my jaw hit the floor on the other side of campus. A week later I had recieved the job offer I'd been counting on from the local cable service provider; and I headed for the hills, washing my hands of the whole situation, and terribly glad the only records tying my name to the lpace were strictly paper-based.

    I checked in on it with a friend of mine who's a student there. He moved here from China, and is still a little unpolished with his english, but I heard this loud and clear: "Oh my FUCKING GOD man! Half the computers on campus are FUCKED!"

    I can only assume that Mr. Plumber did not get anyone to look into the virus.

    I have no idea how much that mistake cost the University; but I do know that once it was cleaned out, nothing changed. They are merrily running the exact same sytems setup the exact same way; probably every one of em mapped off the mirror sitting in the IT department.

    So yes, I do believe that this could have MUCH wider-effect than you believe.

    --
    A couple fans told me that my last journal entry was mint; give it a shot. Hope you like.
  11. maybe it's santa! by cursion · · Score: 4, Funny
    maybe it's really from santa and his IT dept is testing out new ways of seeing who is naughty and nice and checking on what we really want. i mean, imagine getting about 6 billion emails and/or snail mails saying "i want this!".

    sing along now...
    "He knows when you've been sleeping. He knows when you're awake. He knows what you're typing. ..."

    --
    remember when it was {of|for|by} the people?
  12. Not quite... by DogDude · · Score: 2, Informative

    I know that all of my home machines, and all of our business machines are all Windows 2000. I know that a *lot* of businesses stopped with Windows 2000 because there's no real compelling reason to go to XP. Although, since it was fixed more than two months ago, there's really no reason for anybody not to have installed that patch by now.

    --
    I don't respond to AC's.
  13. Bugs? by bsdluvr · · Score: 2, Informative

    ...the first version of this worm, which apparently was crippled by programming errors...

    Worms with bugs?

  14. Easily filtered by Valdrax · · Score: 4, Informative

    Well, if it's from China, it might be an attempt to get sensitive government info. If that's the case, then you could start by filtering down to only keystrokes from .gov & .mil domains. Then it's a matter of looking for short, 6-12 letter words separated by mouseclicks or presses of the enter of tab keys. For the good stuff, look for words that contain a non-alphabetical characters.

    This won't get you into systems with multi-factor identification (like a Secure ID-based password), but it can get you the financial and personal data for government workers who might be subvertible as spies through blackmail, extorsion, or just through a simple offer to help them through a financially difficult time. (This is one reason why your credit history is an important part of getting security clearance.)

    Of course, if you're just looking for financial data to rob people indiscriminately instead of something far more sinister, you can look for sections of text starting with people entering URLs for banks and so on. It's not that hard to write scripts to troll through this sort of data using simple shell scripting or Perl. As someone who works at a telecom company, let me just say that grep'ing through gigs of text data for particular strings (like a phone number in a transaction record) only takes a matter of a few minutes. It's something for which you open up Slashdot to read a single article and then come back.

    No, sifting through this kind of data wouldn't be a technical or resource challenge in the slightest. Receiving and storing it would be the hardest part of the whole operation after actually writing the code to take advantage of the exploit. Extracting data from text files is monkey work.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  15. Of course... by Skiron · · Score: 2, Insightful

    ... the big question is why haven't people patched?

    Well I will tell you. They don't as Microsoft NEVER EVER release just a `fix' patch. It is bundled with other patches that break lots of things. So people either:

    a) Can't as it fubars their system.

    or

    b) Too scared what it breaks. [I still get very nervy at work when applying these patches to servers - you never know - nor guarantee - if it will ever come back up again or just get BSOD.]

    It is about time MS started to just issue a patch to fix ONE of their flaws instead of loading it with other `upgrades' the users doesn't want or need - or even just do 'one at a time'.

  16. What am I missing? by lip_spork · · Score: 2, Insightful

    The worm posts data collected to a specific server. Isn't that kind of evidence that could be used to determine who's responsible for it?

  17. Irony by TeknoHog · · Score: 2, Interesting

    You're safe from keyloggers if you use Dasher.

    --
    Escher was the first MC and Giger invented the HR department.
  18. OK... by Skiron · · Score: 2, Interesting
    Have a laugh...
    http://support.microsoft.com/kb/905915

    WTF?

    Update rollup 905915 includes the cumulative security fixes that are documented in security bulletin MS05-054. The update rollup also includes hotfixes for Microsoft Internet Explorer that were released after the release of security bulletin MS04-004 and of security bulletin MS04-038.
    If update rollup 873377, update rollup 889669, or an Internet Explorer hotfix that was released after security bulletin MS04-038 are not installed, and if you want to install the hotfixes that are included in update rollup 905915, you must follow the instructions in Microsoft Knowledge Base article 897225. Otherwise, all Internet Explorer hotfixes that you have installed are removed.
    897225 How to install hotfixes that are included in cumulative security updates for Internet Explorer 6 Service Pack 1
    The update rollup 905915 installer verifies whether one or more of the files that are being updated on the computer have previously been updated by an Internet Explorer hotfix. However, the installer detects only hotfixes that were released after security bulletin MS04-038, after update rollup 873377, or after update rollup 889669. Therefore, if you have installed update rollup 873377, update rollup 889669, or an Internet Explorer hotfix that was released after update rollup 873377, the update rollup 905915 installer automatically installs the hotfixes and the security updates that are included in update rollup 905915.


    As I said, no wonder people don't apply patches.
  19. Patch bundling by Craig+Ringer · · Score: 2, Interesting

    I hear people claim that MS bundle up multiple fixes and updates in patches, and I'm yet to see evidence of it. In fairness, I haven't really gone looking, but it also doesn't seem logical.

    If MS was to bundle other (security) fixes in a patch, they would quickly be identified by reverse engineering the patch and used to exploit as-yet-unpatched systems. There are people who look over these patches in extreme detail, both "white hat" and "black hat" types.

    If they bundled other fixes / changes, their business customers would get really, really pissed in a major hurry. Microsoft does NOT want to piss these people off, even with the lock they have on the market. Remember that Microsoft's whole sales pitch right now is about "total cost of ownership."

    Given this, I'm inclined to belive the "MS bundles other crap with patches" rumour to be most likely outdated. It could also be something that grew out of a misunderstanding of the difference between security patches, hotfixes, and service packs. I'm more inclined to attribute breakage to a combination of (a) imperfect patch QA and (b) badly written software / malware replacing or patching system DLLs/installing drivers that end up being incompatible with "clean" versions of some of those DLLs installed by a patch. Breakage also used to be common causes of breakage in win9x ... which was a horrific mess you could break by looking at it funny.

    I've personally never had issues patching an NT-derived system. I ensure they're clean before patching, and I don't use shoddy software ( in so far as is possible ). In fairness, my only Windows server is NT4 (ugh); I'm speaking mostly about the XP desktops I admin at work and the older win2k machines I've run.

    That's not to say that things don't go wrong for anybody, of couse... just that in my own experience they don't tend to do so. Perhaps I'm just lucky not to use $BLAH_POPULAR_DATABASE that likes to patch ntfs.sys, or whatever other ghastly hack people might perpetrate.