Tag Archives: Roger Thompson

A Phishing Worm

Welcome to the phishing worm.

Korgo, a new worm that appeared last week, scans for random machines to infect and attack, using a vulnerability in Windows called the LSASS flaw which was discovered in April, according to Internet Week. Korgo, also known as Padobot, then sits on users’ computers waiting for instructions from home. Most such bots would open up the victim’s computer for relaying spam, launching Denial of Service attacks, or for infecting other machines.

Korgo seems to go one step further. According to F-Secure, Korgo “seems to be stealing user information very aggressively through keylogging techniques.” Mikko writes on his blog (sorry, no permanent link available): “The Korgo network worm keeps spreading actively, and it’s aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form – this will collect lots of credit card numbers, passwords etc.”

This would, if true, mean that users don’t need to receive an email, visit an infected site, or unwittingly download anything for their passwords to be stolen. That would seem to take phishing to the next level in that it doesn’t involve email, either as a form of transmission or as a lure. Roger Thompson of PestPatrol agrees it’s probably the first: “There have been bots that phish, but I don’t think any have specifically targeted banks”.

For some reason McAfee and the others are rating Korgo as a low threat, and make no mention of its keylogging abilities that I can find. I’ve asked F-Secure for more information, including which banks are targetted. I’m also not sure whether there have been previous worms that capture banking passwords. What does seem clear is that the worm is Russian in origin. F-Secure says it believes the HangUP Team, a team of Russian hackers, is the worm’s ‘probable creator’.

Welcome To Wallon

Turns out I was wrong about the socially engineered spam I wrote about a few days back. Prompted by some readers’ comments, I asked Sophos about it. This is what Carole Theriault has to say about it:

This is mass-mailing worm. It is call Wallon-A.
Essentially, it goes to a dodgy website and downloads a dialler program. Diallers change your modem connection number to a premium rate number without your knowledge or consent…. This is essentially unsolicited mail with a dodgy link.

Roger Thompson of PestPatrol tells me: “it’s a mass mailer, but no attachment… just a URL. The URL goes through a bunch of redirections until it gets to the real website, where it downloads the payload using one of the current exploits.”

Anyway, apologies to everyone for getting it wrong before.