ZDNet AnchorDesk: Beware of keystroke-logging RATs!

AnchorDesk

Beware of keystroke-logging RATs!

Robert Vamosi
Senior Editor, Reviews
Monday, June 7, 2004

Add your opinion

Forward in

Format for

Robbing a bank used to involve risk of serious physical harm. Now, bandits may develop carpal tunnel syndrome, but that's about it. Without leaving the house, a criminal hacker, or cracker, can create a Trojan horse to clear thousands of dollars in fraudulent bank transactions.

Protect yourself

Remote-access Trojans are no gifts. But a good antivirus app should take care of them. Robert recommends this one.

ZoneAlarm with Antivirus

Trojan horses are little programs that promise one thing--say, a smiley face cursor--but do another--for example, record every keystroke you make or every Web site you visit. Remote-access Trojans (RATs) open a port on your computer, sharing your personal login passwords with crackers from around the world. It's the keystroke-recording RATs that are wreaking havoc these days.

If you think there are a lot of viruses out there, you're right. But there are even more Trojans floating around the Internet. Most recent updates listed on the Sophos antivirus software site, for instance, are for new Trojans, not new viruses.

One reason for the exponential growth of Trojans is their ability to capture specific information. The group HangUp Team, located in Russia, openly advertises its programming services, claiming that they will custom design a keystroke-logging RAT to defraud the bank or credit card company of your choice. Why target banks? Because that's where the money is.

According to the antivirus software vendor F-Secure, the Russian HangUp Team may have engineered a recent spate of low-threat viruses known as Korgo. The Korgo virus opens a back door on your computer, then downloads the Padobot keystroke-logging RAT that captures your personal login information and, after you've completed your session, sends the information to a cracker. The cracker, posing as you, then logs in and makes a very large withdrawal from your account.

Viruses containing account-stealing Trojan have been tried before, mostly in Europe. Korgo is different, however, in that, like Sasser and MSBlast, it runs automatically on Windows 2000 and XP machines connected to the Internet that are vulnerable to the LSASS buffer overrun vulnerability--you don't even have to open e-mail or an attached file to become infected. If you've updated your Windows OS since April 13 with the latest security patches, you should be protected; if you haven't patched your system yet, you should do so now.

Follow the money
There have been attempts to thwart these criminals. International banking laws make it difficult for foreign thieves to transfer large sums of money from an account in one country to an account in another country; this helps protect against phishing scams, too. As a result, it's not easy for someone overseas to automatically transfer your money into their accounts.

So the crackers now recruit people in the targeted country to act as middlemen. Literally, they take out help-wanted ads. Once hired, the middlemen are asked to open an account with a specific local bank. The overseas cracker transfers sums of money to the middleman's local bank account. After taking a salary (a predetermined percentage), the middleman wires the balance of the money to an overseas bank account.

Using a middleman affords the criminals another layer of protection. When the FBI or Interpol comes knocking, it's usually the middleman they arrest, not the true criminal overseas.

Cutting-edge protection
To protect their online bank accounts, the Swiss are now providing bank customers with minicalculators. These customers simply type a password into the minicalculator, which is synchronized with a central server, to randomly generate a second password, one that's good only for that one banking session. Anyone stealing the calculator will not be able to use it unless they also steal your password. I think such two-factor authentication schemes will become common soon, and will be the ultimate solution to these keystroke-logging RATs.

Until then, there's always the good ol' antivirus and firewall combo. I got a lot of e-mail on last week's column for not mentioning PC-cillin Internet Security 2004 in our annual roundup of Internet security suites. I don't consider PC-cillin a security suite, but, yes, it is also a very fine antivirus/firewall combination.

What do you think? Have you ever been victimized by a RAT or other Trojan horse? What happened? How did you get rid of it? TalkBack to me below!

Special sponsor stores

Dell Home

Social Networking

Confirmed: Twitter buys Summize As was rumored, Twitter has acquired Summize, best known for its Twitter search engine... Learn more about this acquisition »
A Sneak Peek from E3 at Xbox 360's latest software upgrades Microsoft previews their next System Update featuring avatars and more social interaction through games View the ZDNet Video to lean more about the new features »
From our sponsors
Back to school

Essential for School Help get your kids A+ ready with Microsoft® Office 2007 Home and Student Edition. Get great offers »
Buying a PC? Easier formatting. Better results. Buy the latest version now »