Digg this story   Add to del.icio.us  
How the Grinch Stole Keystrokes
Shane Coursen, 2001-12-23

The virus knows as BadTrans.B left nothing but trouble under the tree.

The BadTrans.B virus was a lump of coal in a lot of inboxes this season.

Formally known as W32/BadTrans.B@mm, this holiday surprise arrives in the form of a virus with a built-in Trojan horse. In addition to responding to email messages en-masse via Microsoft Outlook, BadTrans.B also drops a dangerous Trojan horse that sits quietly in the background recording data the user types into the keyboard. At regular intervals the collected information is sent off to the email address of an attacker.

The potential damage to a victim's privacy is enormous.

The virus installs the key logger as an insignificant 5,632 byte file named KDLL.DLL. The key logger, sometimes dropped as HKSDLL.DLL, has long been identified by antivirus scanners, most often as "Hooker."

After being dropped, Hooker immediately goes to work. But significantly, it doesn't blindly record everything an end-user types. Following a preprogrammed routine, it activates only when it believes the user is keying in something of interest.

According to a detailed Symantec analysis by respected antivirus researcher Peter Ferrie, Hooker listens-in only when the running program's title bar contains the following as the first three characters: LOG, PAS, REM, CON, TER or NET. Each three-letter combination corresponds with a program that prompts the user to enter sensitive information. In order, they are as follows: LOGon, PASsword, REMote, CONnection, TERminal & NETwork.

The Windows 98 title bar for dial-up networking, for example, is "LOGon," so by spying on the user while "LOG" is in the title bar, Hooker has the ability to record passwords that are masked with asterisks.

Hooker was obviously designed to watch for and catch only the most sensitive pieces of information. This is a clever move, as it helps to reduce degradation in system performance that could be noticed through casual observation. The reduced functionality also considerably lessens the amount of data a would-be attacker would have to sort through on the receiving end, and might allow an attacker to exploit the stolen passwords before the victim has a change to change them.

Mailbox Mayhem
Where does the information go? To one of several email addresses coded into the Trojan -- many, but not all of which, are now non-operational. While such email addresses can usually be shut down by responsible authorities in short order, that doesn't entirely solve the privacy problem: Your personal information is still out there on the Internet, and could possibly be made available to third parties. This month reports even surfaced that the FBI was seeking access to one cache of stolen keystrokes.

If you were one of the thousands infected with W32/BadTrans.B@mm, you may be interested in checking out the database at badtrans.monkeybrains.net .

BadTrans.B isn't only about collecting personal information, it is also about inconvenience. One of its tricks to make it look like the infected email was sent by somebody other than who actually sent it.

This had a particularly bad effect on one Joanna L. Castillo. The email address that she had been using for nearly eight years was made worthless by BadTrans.B, which used Joanna's as one of its 15 fake return addresses, causing her mailbox to be flooded with replies and bounces.

A virus acting as an irritant to a specific person or group isn't new: recently we saw Code Red hardwired to attempt a DDoS against whitehouse.gov. Authorities were able to avert the attack by changing the White House's IP address.

Changing an established email address isn't accomplished quite so easily, and this presents one of the greatest inconveniences of all. BadTrans.B clearly shows us that the electronic addresses that we hold so dear and rely upon so heavily to make impressions and enhance our digital identity are just as vulnerable to attack.

Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International.
    Digg this story   Add to del.icio.us  
Comments Mode:
How the Grinch Stole Keystrokes 2001-12-26
Rafael Coninck Teigao - SafeCore Network Solutions
How the Grinch Stole Keystrokes 2001-12-29
Anonymous (2 replies)
How the Grinch Stole Keystrokes 2001-12-31
How the Grinch Stole Keystrokes 2002-01-01
How the Grinch Stole Keystrokes 2001-12-30
Anonymous (1 replies)
PITA! 2002-01-04
BLKMGK (2 replies)
PITA! 2002-01-08
PITA! 2002-01-08


Privacy Statement
Copyright 2010, SecurityFocus