‘Hundreds Of Websites Still Infected By Scob Trojan’

Just how many websites have been compromised by last week’s attack of the Scob trojan?

A report released today by Cyveillance, a U.S. based ‘provider of online risk monitoring and management solutions’, concludes that 641 sites were still infected with the JS.Scob.Trojan virus as of June 27, 2004. The company says it used its proprietary Internet monitoring technology to visit all known sites running Microsoft Internet Information Services 5.0 (IIS) — the vulnerable software — and identify which ones were compromised.

As Cyveillance CEO Panos Annastasiadas points out, “this newest form of phishing is far more devious than email-based attacks since a key-stroke logger is installed completely passively on the individual’s computer, without the victim falling for a scam.” Annastasiadas also says “loggers can capture far more personal information than is typically shared with a single phishing site.” That’s an interesting assertion, and I’m not sure it’s completely true. Some phishing sites sought — and presumably got — a wide array of personal information that would not normally be typed into the computer (and therefore not usually caught by keyboard loggers). Of course, the trojan in question may capture more than keystrokes, by, say, probing the hard disk, but I would say a social-engineered phishing attack that lures the victim into entering private data on a kosher-looking web site is going to give the attacker a much more complete picture for the purposes of ID fraud and emptying bank and credit card accounts than random passwords logged and sent back to scammer HQ.

Anyway, Cyveillance says it gathered its data from a previous audit it had conducted of some 50 million web sites, or domains. This audit had revealed some 6.2 million web sites known to run IIS 5.0, the Microsoft software with the hole. It then ran its proprietary technology over those web sites and found 641 confirmed cases. It doesn’t say what those domains were, and 641 doesn’t sound a lot. But given that this test was run several days after the initial attack, probably most of the people running those domains don’t know they’re infected, so that’s still 641 too many.

Phishing and Keylogging – The Missing Link?

Here’s evidence that ‘phishing’ – the art of conning users into handing over banking and other passwords by fake, but convincing-looking emails and website — may have branched out into viruses and worms.

Symantec, McAfee and Sophos have published details of a new virus/trojan called Stawin (also known, because the anti virus people don’t seem to be able to standardise these things, as Keylog-Stawin, Troj/Stawin-or Keylogger.Stawin) which appears to have originated in Russia, and which, once installed, will sniff for any banking transactions from about 30 banks or online payment systems in the U.S., Australia and Canada, and will capture passwords and whatnot which it will then email, from time to time, to the hacker.

It does this via an email attachment with, usually, the title ‘I still love you’ — something that’s always nice to hear. If the email attachment — message.zip — is opened a small piece of software called a keylogger will install itself and look for the user opening a window with text in its title that matches any of about 60 different words, ranging from Westpac to Hyperwallet. The keylogger will record anything the user types into that window, store it, and occasionally email it to someone — apparently in Russia, since the email address is govnodav2004@mail.ru. (You won’t see this happening because the email is not sent via an email program but an inbuilt SMTP engine.)

The bad news: You don’t actually need to get the email version of this to be infected. Variants of the trojan could be received just be viewing a certain webpage, on an instant messaging chat network, or on a file sharing network.

Now we already knew, thanks to the work of folk like Daniel McNamara of Code Fish, that some phishing scam emails appeared to be trying to load keylogger trojans. But this seems to be the first industrial-strength one that targets a wide range of banks and online institutions. Says Daniel, who pointed it out to me: “This is certainly the first key logger one I’ve seen go to such lengths, particulary since it targets a wide range of English-speaking banks/financial institutions.” Most previous keyloggers, he says, tend to focus on one or two banks, usually from Asia or South America.

So is this proof that Russians are behind the bigger phishing scams? Or is this all just a ruse? That email address appears to be Russian, and not just because of the server.  Nick FitzGerald of Computer Virus Consulting says in a posting at SecurityFocus that he is informed by a Russian colleague that the email address is “rather crude if transliterated back into Cyrillic”.