Tigger.A Trojan Quietly Steals Stock Traders' Data

**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."

sourcing the problem

[girlintraining]

Attacks like this, namely single vector and single target, point to a single person or small number of persons who have found some way of using the data to profit themselves. We're probably looking at someone in their late 20s, based in the United States(cursory examination -- appears the institutions are all english and based in the US), upper middle class, 5-7 years experience programming (self-explanatory), single, male, and with a history of mental health disorders along axis IV, socially under-developed, (the two are usually related, and most white-collar criminals have mental health disorders but are still highly intelligent) and likely recently became unemployed and is trying to maintain his upper-middle class income.

Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure. The differential is the profile above -- find someone who was recently in debt, and is now very much out of debt.

Have fun.

Re:sourcing the problem

[johnsonav]

Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure.

I would imagine the guy who wrote this isn't working alone. Most of these kinds of attacks aren't meant to directly transfer money from the victim's brokerage account to an account controlled by the attacker.

They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.

The hard part about catching the perpetrators is sifting through the list of all the people who sold the stock at the inflated prices. A bunch of people make money from a scam like this, but only one is the criminal.

Re:sourcing the problem

[NeutronCowboy]

I was about to post the same exact words. The analysis is completely faulty, based on some incredibly vague and unrelated statistics, and the call to action includes zero verification of those assumptions. Narrowing the US population to the specified profile would probably provide a single hit, but that hit would also almost certainly not be related to the trojan. That's because this is a pure case of garbage in, garbage out.

Re:time for 2-factor

[oldspewey]

I thought some of the online brokerages were already using SecurID (or similar) authentication?

Operating Systems List (XP Only)

[solder_fox]

It would be nice if they had a list of Antivirus programs that were effective and/or operating systems affected, nice and prominent somewhere linked from the article.

FYI, from the security bulletin:

Affected software:
XP Service Pack 2 & 3
XP Pro x64 and x64 Service Pack 2
Server 2003 Service Packs 1 & 2
Server 2003 x64 and x64 Service Pack 2
Server 2003 with SP1 and SP2 for Itanium

Non-affected:
Win2K SP 4
Vista & Vista SP1
Vista x64&SP1
Server 2008 32
Server 2008 x64
Server 2008 Itanium

keep it updated....

All the focus here is on the AV finding the rootkit. Everyone forgets if they would have kept the machine updated, the rootkit or virus would not have been able to infect the machine in the first place. AV is a second layer of defense. MS Window machines should setup to update automatically. MS released the fix for the vulnerability this rootkit took advantage of a month or two before the rootkit was released.

Re:Every time Obama opens his mouth...

You mean the record-low unemployment and explosive economic growth years

Rofl...are you kidding? Explosive economic growth due to unregulated markets balooning into a giant bubble? This is just like putting rocket boots on all the wolves in the forest and then acting surprised when all the deer have been eaten, and now the wolves are somehow starving to death.

I don't know where you got that bullshit about democrats forcing banks to loan to poor people. Banks did this intentionally and voluntarily, because they had bad statistical models that told them housing prices would go up forever, and they marketed bad (likely to foreclose) mortgage products, and they sold mortgages with little or no accurate risk data (ie: realtors/banks were lying about buyer salaries). Congress, let alone a democratic congress, had nothing to do with "forcing" this on banks...

Re:AC's like YOU make us other AC's look bad

So much for the ethic of graciously accepting criticism and trying to improve yourself. I guess you prefer the option that entails fostering further ignorance so that you can feel better about yourself.

So what's your excuse for failing to close your "blockquote" element? You can't spell, promote ignorance in others, *AND* you mark up for shit?

I don't buy the whole "not his last will and testament" argument either. You try to do things well even when it matters least so that when it does matter, it is easier to excel from practice.

After all, you don't always know when it'll matter. It's like always using your turn signal even when you don't see anyone else there. If you always saw them (and they, you), there wouldn't be a point to turn signals, would there? It's perhaps those times you don't realize are important that matter most.

Re:AC's like YOU make us other AC's look bad

It's funny how your post on why perfect grammar is not important is a good example of why it is important.

Your sentences were so poorly constructed that I had to read them several times over just to garner what possible meaning you were trying to express. And you say a lot of things that are, well, plain stupid ('A little news for you/some FYI' says the same thing and needs no emphasis, why repeat it? Also, 'etc. et al' is just redundant at best).

I agree that perfect grammar is not important when what you write conveys the message you intend it to convey. But even by that measure you need to educate yourself on sentence construction. Until you master the basics of grammar, fighting on a grammatical front it is just fighting out of ignorance.

Let me summarise my point for your small brain. It is not the occasional annoyance of gramarians that annoy slashdotters about ACs. It is the people who speak out of ignorance - particularly the argumentative ones.