Identity-Theft Keylogger Identified - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

01:25 PM
Connect Directly

Identity-Theft Keylogger Identified

Sunbelt Software has identified the keylogging spyware that is feeding sensitive personal information to an identity-theft ring. The FBI confirms it has been in contact with Sunbelt and is looking into the company's findings.

Sunbelt Software Inc. says it has identified the keylogging spyware that is feeding sensitive personal information to the "massive identity-theft ring" identified by company researchers last week.

According to the Florida-based security software company, the keylogger is named Srv.SSA-KeyLogger. It's a variant of a family of Trojans sometimes known as W32/Dumaru. Trojan progams by definition do not spread. Users typically download them onto their PCs without realizing it, or they acquire them through other malware.

According to Phil Owens, product manager at Sunbelt Software, the keylogger is known to be present in adware downloads offered at certain porn and hacking sites. He says that users of unpatched Windows systems prior to Windows XP SP2 can have their PCs infected simply by visiting one of these sites. In other instances, a confirmation dialogue box may be the only warning that a dangerous download is about to take place.

This particular malware, the company warns, steals data from user's Internet sessions, including logins and passwords from online banking sessions and E-commerce sites, and from Internet Explorer's Protected Storage Area, which can contain personal information for use with the browser's Web form AutoComplete function. Specifically, it captures browser window titles and keystrokes when it detects words associated with financial interactions -- including "bank," "casino," "eBay," "login," and "PayPal," to name a few.

Because it runs under Internet Explorer, company president Alex Eckelberry notes in his blog, the keylogger "is generally undetectable by a software or hardware firewall." It also turns off the Windows firewall.

What's more, the keylogger blocks access to the Web sites of many anti-virus security companies by altering the hosts file on infected machines. Sunbelt Software, ironically, isn't among the companies listed.

Once the program has captured enough data, it sends the information in a text file to a remote server where the information is presumably harvested by criminals. This server, Sunbelt claims, is located in the U.S. but registered to an offshore entity. As of Thursday morning PST, the server was still active.

A spokeswoman for the FBI's Dallas field office confirms that the FBI has been in contact with Sunbelt and is looking into the company's findings. She adds that the agency has noted an increase in cybercrime and is allocating its resources appropriately. She says cybercrime is the agency's number three priority, behind counter-terrorism and foreign counterintelligence.

In his blog, Eckelberry expresses his dismay about the potential impact of this keylogger. "In a number of cases, we were so disturbed by what we saw that we contacted individuals who were in direct jeopardy of losing a considerable amount of money," he wrote last Saturday. "One particularly poignant moment was a family in Alabama whom I contacted personally last night and warned them of what was going on. This was a family where the father had just had open-heart surgery, and they had very little money. Everything personal was recorded in the keylogger -- Social Security numbers, their credit card, DOBs, login and password info for their bank and credit-card companies, etc. We were able to warn them in time before they were seriously hurt."

A spokeswoman for Sunbelt Software says the family does not wish to comment on its experience.

Sunbelt says it has updated its CounterSpy anti-spyware program to block the keylogger and expects to have an update for CounterSpy Enterprise shortly. It also has notified other major security companies so they can do the same. Sometime today, it plans to offer a free detection and removal tool on its Web site for those who aren't already customers.

It's not clear whether, as initially believed, the keylogger is related to a family of Trojan programs known as CoolWebSearch. Variants of this Trojan redirect users to, owned by a company in Russia, and affiliated sites. "It was discovered during a CoolWebSearch infestation, but it actually is its own sophisticated criminal little Trojan that's independent of CWS," Eckelberry wrote in his blog on Monday. On Wednesday, he wrote, "It seems related to the CoolWebSearch gang, but that is still not certain."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll