ID Theft Keylogger ExaminedMarch 8, 2008 – 4:16 PM
I have had email conversations with a number of people at Sunbelt Software about the ID theft ring they discovered recently. They were kind enough to provide a HijackThis log entry that identifies the keylogger. I promised not to publish it but said I would warn the helpers at the message board to keep an eye out for any victims. Unfortunately, we discovered that dozens of people had been infected. We set about trying to contact them all privately.
Since the HijackThis log entry now has been published elsewhere, including on Sunbelt’s web site, I will go ahead and reveal it. Download HijackThis and scan the computer. If the following entry is present in the results, then the computer is infected with this spyware and the user(s) of that computer might be victims of identity theft:
O4 – HKLM..Run: [load32] C:WINDOWSSystem32winldra.exe
Sunbelt has created a free tool to remove this trojan safely. If that entry is found on any computer that you are examining or fixing, visit this page (http://research.sunbelt-software.com/ssaclean.cfm). Download the program linked there, then unplug that computer’s modem from the internet. Leave it unplugged until after the trojan has been removed. I’ve submitted the keylogger to several antispyware and antivirus vendors, so they should be detecting it shortly, if they don’t already.
Sunbelt has named this trojan Srv.SSA-KeyLogger.
After that has been done, you then have the sad duty to inform the owner of the machine that they may be the victim of identity theft. From an uninfected machine, they need to log into any web site where they have an account and change their passwords. They also should contact their banks and credit card lenders and inform them of the situation.
Based on that HijackThis entry, some of the spyware gurus at the message board obtained a copy of the keylogger and set about examining it detail. Compared to the browser hijackers and spyware that we see normally, this keylogger is extraordinarily sophisticated.
This keylogger is downloaded and installed by a browser hijacker identified widely as CWS. The computer first has to be infected with a particular variant of this hijacker. After that variant is installed, it downloads this keylogger and then installs it.
At this point, it still is unclear why the hijacker software is installing the keylogger. The person responsible for it might have been paid by a third party to install this file without an explanation of what it does. In that case, then the people responsible for the hijacker are unwitting accomplices in this identity theft operation. It is a common practice for one browser hijacker to download and install several others.
CoolWebSearch.com has released a statement denying any involvement with this situation. The statement says that if anyone has evidence that one of their affiliates is involved, they will contact the FBI with information about the affiliate and immediately suspend their account. I have taken them up on their offer and contacted them to find out if the web sites involved in the browser hijacker belong to one of their affiliates. As much as I personally dislike CoolWebSearch, I would hate to finger them for something like this if they are not responsible.
The keylogger also can be installed separately from the browser hijacker by visiting certain web sites. The main page of these web sites are pay-per-click search portals and have a design very similar to that of coolwebsearch.com and their affiliates.
Once the keylogger is installed, a surprising number of things happen to the infected computer.
Several web sites owned by antivirus and antispyware companies are blocked by modifying the HOSTS file. Mike Burgess of MVPS speculates that since legitimate antimalware web sites are blocked, an infected victim will begin clicking links on the hijacker’s web site to find an antispyware program. When that happens, the hijacker ends up being paid for the link referral plus a commission if the victim buys the antispyware program.
I should point out that any antispyware companies advertising on such web sites nearly always are found in the Rogue Antispyware list and are not recommended.
The keylogger itself is set up to run every time the computer restarts. A registry key is written which loads the keylogger even before any user logs into their account. Again, that entry can be identified in a HijackThis scan as O4 – HKLM..Run: [load32] C:WINDOWSSystem32winldra.exe
This spyware also performs another very cute trick. Just in case someone has discovered that malware has been installed and tries to clean it off, a PE virus infects a harmless program set to load at startup. The program that is infected is chosen at random from the list of start up entries found in the registry. Once this is done, the computer is reinfected with this trojan when it restarts.
This keylogger appears to be designed specifically to capture passwords and user names. It captures chat sessions, collects passwords from various programs such as FTP clients. It reads information from the Windows Clipboard. It also captures data from Internet Explorer’s “Protected Storage”. This information is dumped into a log file. Once the log file reaches a certain size, the information is uploaded to a remote web server.
After some research, several people have found indications that an older version of this trojan has been infecting people for several months, possibly as far back as December 2004.
A web server is installed on the computer, along with a PHP scripting engine, allowing PHP scripts to be run on the infected computer. PHP is a scripting language used on millions of web sites, including Spywareinfo.com. Some of the PHP scripts included with this trojan allow a person to run programs on the infected computer from a remote location. We are still studying this web server.
Both SMTP and POP3 email servers are installed. Shortly thereafter, the computer begins spewing out spam.
Part of a rootkit is installed, which has been identified as Haxdoor.
The Windows Task Manager is replaced with an altered version.
Internet Explorer itself is infected. A DLL library file hooks into Iexplore.exe using process injection. This means that a firewall might not prevent this trojan from accessing the internet.
The Windows Security Center, installed as part of Windows XP SP2, is disabled. The Windows Firewall and the Automatic Updates services are disabled. If the computer is running Windows XP and does not have Service Pack 2 installed already, the registry is altered in a way that would cause installation of this service pack to fail.
One person reported that files from the program Total Uninstall 3 had been modified to render it inoperable.
The trojan connects to a certain page of a certain web site every five seconds. From this web page, with no password needed, someone can send commands to every infected machine still connected to the internet.
This very clearly is one of the worst malware infections I have ever seen. This whole newsletter is two days late because every time I thought I’d finished this article, we discovered something new about the trojan.
Again, running this tool from Sunbelt (http://research.sunbelt-software.com/ssaclean.cfm) should remove this particular trojan. Other antispyware and antivirus products should begin detecting it very shortly.
Credit for all of the analysis that I have tried to explain here goes to a large number of people: Patrick Jordan (aka Webhelper), Eric Sites and Alex Eckleberry of Sunbelt Software. There are a couple of researchers from Microsoft that I probably shouldn’t name. Eric Howes and Suzi from spywarewarrior.com. Paul Laudaski (aka Zhen-Xjell) from Castlecops. From the online antispyware community; Tuxedo_jack, JackB, Avohir, Grinler, Mike Burgess (aka WinHelp2002), Merijn, Metallica, Didom, TheJoker, cnm, jedi, miekiemoes, Swandog46, Atribune, WaRHaWK, Bobbi_Flekman. If I left anyone out, I apologize. There literally were dozens of people picking this thing apart over the last few days.
We are continuing to post news stories related to this ID theft ring in our news section.