Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Analysis Leads To Russian Data Hoard

Posted by kdawson on from the Gozi-dissected dept.

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

9 of 103 comments (clear)

  1. Speads!=Affects by Anonymous Coward · · Score: 3, Informative

    You need IE to install the trojan, once it is running it will compromise all SSL traffic.

  2. Re:What About Firefox Users? by Aladrin · · Score: 4, Informative

    You stopped reading too early. Later in TFA, it shows a screencap of the website that has badly translated text that basically says 'Snatch 2 - will work on firefox'. In other works, you're not affected... yet.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  3. Re:What About Firefox Users? by Billosaur · · Score: 2, Informative

    Well, it uses an IE browser exploit to get in, so if you don't uses IE, you're at low risk. But far be it from anyone to think that these crooks won't find a way to deliver the Trojan in another manner if their IE route dries up. Everyone will have to remain vigilant, because if it gets on your system, it can theoretically corrupt any browser.

    --
    GetOuttaMySpace - The Anti-Social Network
  4. Re:IP traceback by Klaus_1250 · · Score: 4, Informative

    I doubt they will use a single IP for long, in fact, I would say that if they are pro's, they'll only use it for several hours. There are quite a few organizations tracing and logging such IP's and some of the better security software blocks them. The longer you use a single IP, the less effective they'll be and the higher the risks.

    --
    It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
  5. Re:What About Firefox Users? by Cyberax · · Score: 4, Informative

    No, IE uses a layer called WinInet to access the Internet (http://msdn2.microsoft.com/en-us/library/aa385483 .aspx). It automatically provides SSL/TLS connectivity to IE.

    FireFox uses basic sockets and encrypts data using standalone SSL library.

  6. Re:Hmm.. smth does not compute by coolnicks · · Score: 2, Informative

    The actual IP is 81.95.146.98, and is indeed in Russia, although this IP is no longer responding on port 80.

  7. Re:Hmm.. smth does not compute by Anonymous Coward · · Score: 1, Informative

    http://web.archive.org/web/*/81.95.146.98/* is slightly useful in seeing how exactly someone could get infected, but win.exe is truncated at 4096 bytes, so there's nothing to play with there ;)

  8. Re:i'm in awe by zoftie · · Score: 2, Informative

    This comes from my experience:

    Most Russian coders [in russia] are assholes and lazy, I am russian and grew up in Canada. I went to russia to work for a while, to see how it is. After all wages in moscow are 2000$+ so it I wasn't just surviving.
    I was little dismayed at the experience being in russia, finding that while there are alot of brilliant coders, many are lazy and have too few team skills to be usable in a company. Another thing, russians are daring, so this sort of stuff comes up all the time. They won't do work, but throw them a challenge and they'd go at it.

    To put it in other way, those who can do and care to work, left a long time ago. Those who stay, ones who aren't willing to change, thinking that old russian ways are fine. In addition, real estate prices in moscow are soaring. Many sysadmins made their way to buy apartment, by reselling hardware to their own company with 5x - 100x markup. Yes these things happen :)

    What can I say its a mess, really.

    This virus isn't a surprise, there are alot more covert virii, I'd tell you. Ones that do embed themselves in the kernel, not as a process or a program.
    Cheers.

  9. Examples where Mozilla uses M$. by twitter · · Score: 1, Informative

    The one I'm most familiar with is to get mail from Outlook to Thunderbird. M$'s own interface is terrible and forces the user to save each message as text one at a time with poor control of output location. Mozilla automates the use of the program called, but still uses the program.

    You might also look at Mozilla's ActiveX. While I'm sure it's much saner than the controls which were exploited in this threads topic, it's still a use of M$'s unsafe machinery.

    Finally, even good code is more dangerous on Windoze then elsewhere. M$ has not yet properly implemented users, permissions and other safety features found in the Unix world. This is one of the reasons it's always been so much easier to break a Windoze box than anything else. The other reason is that most M$ code is poor quality. They bought it and hacked it together and have always shipped with known bugs.

    --

    Friends don't help friends install M$ junk.