Tigger.A Trojan Quietly Steals Stock Traders' Data

**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."

Operating Systems List (XP Only)

[solder_fox]

It would be nice if they had a list of Antivirus programs that were effective and/or operating systems affected, nice and prominent somewhere linked from the article.

FYI, from the security bulletin:

Affected software:
XP Service Pack 2 & 3
XP Pro x64 and x64 Service Pack 2
Server 2003 Service Packs 1 & 2
Server 2003 x64 and x64 Service Pack 2
Server 2003 with SP1 and SP2 for Itanium

Non-affected:
Win2K SP 4
Vista & Vista SP1
Vista x64&SP1
Server 2008 32
Server 2008 x64
Server 2008 Itanium

Re:sourcing the problem

[johnsonav]

Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure.

I would imagine the guy who wrote this isn't working alone. Most of these kinds of attacks aren't meant to directly transfer money from the victim's brokerage account to an account controlled by the attacker.

They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.

The hard part about catching the perpetrators is sifting through the list of all the people who sold the stock at the inflated prices. A bunch of people make money from a scam like this, but only one is the criminal.

Re:sourcing the problem

[NeutronCowboy]

I was about to post the same exact words. The analysis is completely faulty, based on some incredibly vague and unrelated statistics, and the call to action includes zero verification of those assumptions. Narrowing the US population to the specified profile would probably provide a single hit, but that hit would also almost certainly not be related to the trojan. That's because this is a pure case of garbage in, garbage out.