Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tigger.A Trojan Quietly Steals Stock Traders' Data

Posted by kdawson on from the where-the-money-is dept.

**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."

10 of 212 comments (clear)

  1. Re:Hmm... by interiot · · Score: 4, Interesting

    Benevolent worms are a perennial suggestion in computer security, and the conclusion is always no no no no.

  2. Re:Here's the sum total of the knowledge gained... by PIBM · · Score: 2, Interesting

    No, just wait until it tells you it hit rock bottom...

    Can that happen ?

  3. Malware that removes malware by djveer · · Score: 2, Interesting

    Interestingly the Tigger trojan actually goes to the trouble of removing other more 'intrusive' malware that Anti-malware products currently detect in order to keep a low profile.
    This makes me wonder just how widespread it could be.

  4. Now what we really need... by alvinrod · · Score: 5, Interesting

    If only there were a similar piece of malware in direct competition with this particular trojan such that both would attempt to remove the other and successfully do so.

    It is interesting how malware is adapting so that not only is it able to spread more quickly to a larger number of machines, but also that it's attempting to increase its lifespan by killing off other malware so that the host may not notice that it's infected. I wonder how long it will be until a particular program updates a virus definition list or something similar to remove all other competing malware programs as they come into existence. Also, how much better will the malware be at quickly patching machines against new zero-day exploits than actual virus scanning and prevention software?

  5. Re:sourcing the problem by girlintraining · · Score: 2, Interesting

    Agreed, let's go after the bailout recipients.

    No. It should be assumed this person has familiarity with those systems, in order to develop the code. Acting alone (highly probable), that means he likely has/had accounts with many if not all of those financial service providers. That grossly limits the number of available suspects. His industry and age also narrow the list even further. That probably leaves perhaps 10k worth of potential suspects in the pool. I'd be guessing, but he probably hopes to convert the stolen accounts stocks to cash, launder it through a third party (paypal perhaps), and then return those assets as stock purchases to avoid taxation, which means you only need the cooperation of a few of those providers and demographic data. Link it with possible terrorism to bypass the usual rules that would prevent a dragnet, and chances are good you find your man. At least, that's how I'd investigate.

    --
    #fuckbeta #iamslashdot #dicemustdie
  6. Version 2.0 by russotto · · Score: 4, Interesting

    Version 2.0 won't just steal data. It'll make trades. Aside from the obvious theft possibilities, the controller would have the ability to create his very own economic meltdown, in any companies he wished, limited only by the size of his botnet...

    1. Re:Version 2.0 by mgkimsal2 · · Score: 2, Interesting

      If it's too blatant ("meltdown") trading will just be halted. Better to be small about it. Buy stock X. Start doing a few hundred buys against a small stock from various PCs, run up the price, sell stock X, keep profit. Not much different than the email scams that try to pump up penny stocks, except in this case rather than just trying to get someone to buy it, you'd just buy it from their account for them.

      I've often wondered when viruses would start getting smarter. A virus that simply changed some of your appointments in Outlook's calendar (or emailed recipients stating that a meeting had been cancelled or changed) would cause HUGE amounts of damage. A virus that would just open Excel, change a few numbers, the resave it silently, would, again, do HUGE amounts of damage. It would be very hard to trace this at first, and may have long lasting results. But virus writers seem to want to be so "in your face" about the fact that you're infected (using up all your CPU/network, for example) that people immediately know they have a virus and take steps to remove it.

      This little bugger sounds pretty smart, removing other viruses in an attempt to keep the host unaware of any compromise. Good thinking.

      --
      creation science book
  7. Insider Trading by locallyunscene · · Score: 2, Interesting

    I wonder if how the virus was spread could give clues to "who knows who"? IE: Did all the machines infected at ScottTrade start from a single intrusion, or was there some type of sharing of data between ScottTrade and TD Ameritrade? Not necessarily illicit, but seeing formal and informal alliances.

  8. Re:Hmm... by Abreu · · Score: 2, Interesting

    "If you must have crime, at least it should be organized crime..."
    Attributed to the Patrician of Ankh-Morpork

    --
    No sig for the moment.
  9. Re:sourcing the problem by girlintraining · · Score: 3, Interesting

    I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.

    And yet you don't state your qualifications. Well, here's mine: I have been in information technology for eleven years, have done network and system administration at the enterprise level, and have assisted investigators tracking down so-called "hackers". I also have about four years of programming experience, mostly to support the aforementioned. I also have spent a significant portion of my professional time learning digital forensics, taking apart malware kits, and have friends that do skip-tracing professionally (they track people down, and I know people who do civil and criminal). I have also worked on classified government systems (can't say which, obviously), and busted two people on-site who attempted to access information without authorization on those systems (the men with shotguns came and took them away). I do know what to look for, and I have caught people who thought they were so very much smarter than we were. Repeatedly, and sometimes in the flesh.

    You're right, I have no idea who this person or people are. That said, if this guy was working with a herder or someone with access, the vector would have been found by now. It hasn't, which means they're not using an established botnet for deployment. Not only that, but while some of the programmic methods may be similar, that alone shouldn't make an investigator jump to the conclusion the two are in contact with one another. Especially not with the volumes of security research on how these networks operate available to the public. Even slashdot has published links to the aforementioned! All this said, again, you're also right that I don't have a degree in psychology, or criminal profiling, etc. -- I just deal with these people on the front line and I'm going by what my gut and my experience tells me should be there. A real profiler would start with known facts, which I don't have, and have a support team to get definitive answers, which I also don't have. It's still a lot better of an educated guess than most people here could make.

    --
    #fuckbeta #iamslashdot #dicemustdie