More on Korgo; I wish I could say it was the last. But the good news is that it does not seem to be the all-in-one ‘phishing worm’ F-Secure said it was.
F-Secure has clarified the situation over the Internet worm Korgo, which seems to answer some of the questions in my earlier posting. Korgo does not include a keylogger, nor any code to steal banking info. But, F-Secure says, “it seems that the Hangup Team (virus group behind the worm) is actively installing a keylogging trojan known as Padodor to the infected computers.” This is done via a backdoor left by Korgo.
Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks. Padodor is not the same as Padobot, which is one of the aliases of Korgo. Bottom line, according to F-Secure: “Not all machines infected by Korgo have Padobot, and Padobot can be found on machines which are not infected by Korgo.” (In fact, I may be wrong but I think F-Secure mean Padodor here: “Not all machines infected by Korgo have Padodor, and Padodor can be found on machines which are not infected by Korgo.” No?
The thing here is that a worm does the distribution work, infecting computers. Then there’s the bot, or trojan, that is the payload. This is the bit that does the money-generating work. That can either be loaded onto computers as part of the original worm, or else it can be loaded later via the backdoor left by the original worm. So here F-Secure has mistakenly assumed the keylogging bit was part of Korgo, which it wasn’t.
More on the phishing worm I mentioned in a previous post.
Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.
He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.
Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?
There’s talk of several new viruses out there which can do some serious damage. Here are a couple, in brief:
- MyDoom (sometimes known as Novarg and as a variant of the Mimail virus) has a random subject lines such as “Mail Delivery System,” “Test” or “Mail Transaction Failed” and contains an executable file and a statement such as: “The message contains Unicode characters and has been sent as a binary attachment.” CNET quotes Vincent Gullotto, of Network Associates as saying “It’s huge. We have it as a high-risk outbreak.”
- Dumaru has the subject line ‘Important message for you. Read it immediately!’ and may be from someone with an email address that contains expletives (a dead giveaway, unless those are the kind of friends you have). Sophos says the worm poses as an emailed photograph, whilst really attempting to steal online banking details in the background. This is done by something called key-logging — the worm will load software which can capture your keystrokes and send them to the ne’er-do-well so they can access your bank account.
Wayne Rash of InfoWorld, writing last week of the arrival of a worm called Bagle, reckons this kind of outbreak is closely related to college terms. “The worms of summer tapered off as fall progressed,” he says. “By November, things were very quiet. Students were working hard on exams, I guess, and didn’t have time for worm-writing. But now that they’ve been away from the book-learning for a while, we’ve got the first significant worm of ’04.”