A Phishing Worm

By | May 31, 2004

Welcome to the phishing worm.

Korgo, a new worm that appeared last week, scans for random machines to infect and attack, using a vulnerability in Windows called the LSASS flaw which was discovered in April, according to Internet Week. Korgo, also known as Padobot, then sits on users’ computers waiting for instructions from home. Most such bots would open up the victim’s computer for relaying spam, launching Denial of Service attacks, or for infecting other machines.

Korgo seems to go one step further. According to F-Secure, Korgo “seems to be stealing user information very aggressively through keylogging techniques.” Mikko writes on his blog (sorry, no permanent link available): “The Korgo network worm keeps spreading actively, and it’s aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form – this will collect lots of credit card numbers, passwords etc.”

This would, if true, mean that users don’t need to receive an email, visit an infected site, or unwittingly download anything for their passwords to be stolen. That would seem to take phishing to the next level in that it doesn’t involve email, either as a form of transmission or as a lure. Roger Thompson of PestPatrol agrees it’s probably the first: “There have been bots that phish, but I don’t think any have specifically targeted banks”.

For some reason McAfee and the others are rating Korgo as a low threat, and make no mention of its keylogging abilities that I can find. I’ve asked F-Secure for more information, including which banks are targetted. I’m also not sure whether there have been previous worms that capture banking passwords. What does seem clear is that the worm is Russian in origin. F-Secure says it believes the HangUP Team, a team of Russian hackers, is the worm’s ‘probable creator’.