Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Analysis Leads To Russian Data Hoard

Posted by kdawson on from the Gozi-dissected dept.

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

8 of 103 comments (clear)

  1. What About Firefox Users? by eldavojohn · · Score: 5, Interesting
    From the article,
    • Steals SSL data using advanced Winsock2 functionality
    • State-of-the-art, modularized trojan code
    • Spread through IE browser exploits
    • etc ...
    When I read the Slashdot summary, I was initially concerned that I may be at risk. But then I noticed the above three lines and realized there was no risk since I don't use IE.

    But, in the end, if this is an exploit utilizing the very basic network DLL that windows provides for socket connections (Winsock2--which is what I assume all network applications eventually link against in Windows) then why aren't other browsers at risk?

    I know Firefox is awesome & more secure & all that jazz but I haven't done enough network programming to know the nitty gritty details of it. Does anyone know why, if this trojan is exploiting the basic socket connection library that the Windows API provides, all browsers aren't potential victims?

    I mean, it makes sense to introduce some sort of security that never ever lets anything but the browser's code access the interfaces to these libraries ... is IE really that flawed?
    --
    My work here is dung.
    1. Re:What About Firefox Users? by BlueTrin · · Score: 5, Funny

      is IE really that flawed?

      +2 funny

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
    2. Re:What About Firefox Users? by Aladrin · · Score: 4, Informative

      You stopped reading too early. Later in TFA, it shows a screencap of the website that has badly translated text that basically says 'Snatch 2 - will work on firefox'. In other works, you're not affected... yet.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    3. Re:What About Firefox Users? by Cyberax · · Score: 4, Informative

      No, IE uses a layer called WinInet to access the Internet (http://msdn2.microsoft.com/en-us/library/aa385483 .aspx). It automatically provides SSL/TLS connectivity to IE.

      FireFox uses basic sockets and encrypts data using standalone SSL library.

  2. Re:Possible solution... by BlueTrin · · Score: 4, Insightful

    I guess the major flaw would be that I could write code and report it ?

    --
    Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
  3. headline strike again! by Arielholic · · Score: 5, Funny

    Trojan Analysis Leads To Russian Data Hoard

    So the analysis led the the hoarding? Everybody stop analyzing NOW!

  4. Re:IP traceback by Klaus_1250 · · Score: 4, Informative

    I doubt they will use a single IP for long, in fact, I would say that if they are pro's, they'll only use it for several hours. There are quite a few organizations tracing and logging such IP's and some of the better security software blocks them. The longer you use a single IP, the less effective they'll be and the higher the risks.

    --
    It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
  5. Who's the target customer? by BobMcD · · Score: 4, Insightful

    What frustrates me a bit about TFA is where they stopped. They identified what the malware is, does, where it comes from, etc. They seem to have left out the 'why' part of the equation. Who would buy the data, and for what purpose? Dig a little deeper here. What we are defending against becomes a lot clearer when the motives of the attacker are known. This exploit is sophisticated and mature. It appears to be a viable business. This is not the action of an individual bent on personal gain, rather a true-world example of organized crime. This is much more serious than we're being led to believe. This is what gives me pause: What kind of customer would pay for access to such a broad set of data?