[starjax]

Massive identity theft ring

In some recent research into a spyware exploit, our research team has discovered a massive identity theft ring.

We also found the keylogger transcript files that are being uploaded to the servers.

This is real spyware stuff—chat sessions, user names, passwords, bank information, etc. We have confirmed that this data is valid. Highly personal information, including even one fellow who has a penchant for pedophilia -- all logged in detail and returned a webserver.

Note that there is a LOT of bank information in here, including one company bank account with over US$350,000 and another small company in California with over $11,000 readily accessible. This list goes on and on and on. Of course, there's also eBay accounts and much more.

there is a lot more info posted and forthcoming from sunbelt software and thier researchers at:

http://sunbeltblog.blogspot.com/

story has broke on computer world: http://www.computerw...,103737,00.html

you can check Suzi's response at spyware warrior:
http://netrn.net/spy...ing-discovered/

[Advertisements]

ok, quiet a few updates released about this keylogger. First off, as stated by sunbelt, it was discoverd durning a csw infestation. However, it is it's own little criminal trojan.

Naturally CWS had to issue a statement claiming "For some obscure reason, they keep claiming that it has something to do with coolwebsearch. It does not". it goes on to state they are thinking about sueing Yahoo.

Free cleaner here
Free SSA-Keylogger cleaner

You can download the free cleaner for the SSA-Keylogger cleaner here. (see link above)

CounterSpy customers: It is not necessary to use this cleaner, as the detections are already in definitions 216 (consumer) and 217 (1.5 beta and enterprise).

Lavasoft finds similar trojan?

Update:  I just spoke with Mike Wood, VP of Research at Lavasoft— this is not the same variant of the trojan as we found (they have also updated their database to the one we have been discussing).  However, they have some really interesting data so we are hoping to collaborate.

Very interesting, a comfirmation (finally) of the kind of stuff we found. Lavasoft just posted a research note on a trojan and a server which look very similar to the one we found.    Good stuff and well done to these guys. We’re pinging Lavasoft (currently closed as they are in Sweden) to find out more.  Different variant or the same one?  We should hopefully know more soon. 



Alex Eckelberry
President

ok, so it boils down to that CWS has gotten a little touchy because of the press. That the FBI and secret service are involved with the investigation. That there are at least one varient of this keylogger fournd by adaware. It appears that they likes of lavasoft, adaware and others in the industry are sharing all the info they have.

Because of the way this keylogger functions firewalls are unable to prevent its activity.

  Fix for the Srv.SSA-KeyLogger

Press release here.

We have issued an immediate security fix to thwart the newly identified spyware keylogger uncovered by Sunbelt’s Research Team. This is the keylogger that is behind the identity theft ring.

The spyware keylogger, named Srv.SSA-KeyLogger, is a backdoor program that, among other things, secretly steals data from users’s internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use html forms to collect personal information.



It is a new variant of a family of existing trojans generally known as Dumaru or Nibu.  We believe Kaspersky has this described as Win32.Dumador.df, but it is doubtful if many other antispyware or antivirus applications have definitions for it (McAfee, Panda and Symantec don’t catch it, but there are a number of AV programs that do, like Kaspersky and BitDefender — and Lavasoft may have the fix).

Update:  Most AV vendors have this thing now.



As we’ve written before, this keylogger was identified as a result of one of Sunbelt’s lead spyware researcher’s earlier discovery of a massive online identity theft ring in which thousands of unsuspecting computer users’ personal data had been compromised.  In a sense, the news is not the keylogger itself--these are a dime a dozen these days.  The news is that it was one of the rare times that a security company has been able to stumble onto such an extraordinary cache of compromised end-user data.



Anyway, to protect users from this harmful keylogger, new definitions are being added for both the CounterSpy and CounterSpy Enterprise antispyware products.



Updates to the consumer edition of CounterSpy are available immediately, while customers of the enterprise edition will receive the updates shortly upon completion of platform testing by Sunbelt.



Protecting yourself against this keylogger: On Thursday, Sunbelt will be offering a free detection and removal tool on its website specifically targeted at this keylogger.



As an alternative, users can immediately download the two week trial version of CounterSpy, which provides free scanning and remediation for this keylogger and a large number of other spyware threats.



More details on the Srv.SSA-KeyLogger will be posted on Sunbelt’s Research Center



Sunbelt is sharing data on the keylogger with other major security companies to insure the industry has the information necessary to react rapidly to this threat.

this should cap everything seen about this.

for more info please check:
http://sunbeltblog.blogspot.com/
http://www.netrn.net/spywareblog/

[starjax]

ok, quiet a few updates released about this keylogger. First off, as stated by sunbelt, it was discoverd durning a csw infestation. However, it is it's own little criminal trojan.

Naturally CWS had to issue a statement claiming "For some obscure reason, they keep claiming that it has something to do with coolwebsearch. It does not". it goes on to state they are thinking about sueing Yahoo.

Free cleaner here
Free SSA-Keylogger cleaner

You can download the free cleaner for the SSA-Keylogger cleaner here. (see link above)

CounterSpy customers: It is not necessary to use this cleaner, as the detections are already in definitions 216 (consumer) and 217 (1.5 beta and enterprise).

Lavasoft finds similar trojan?

Update:  I just spoke with Mike Wood, VP of Research at Lavasoft— this is not the same variant of the trojan as we found (they have also updated their database to the one we have been discussing).  However, they have some really interesting data so we are hoping to collaborate.

Very interesting, a comfirmation (finally) of the kind of stuff we found. Lavasoft just posted a research note on a trojan and a server which look very similar to the one we found.    Good stuff and well done to these guys. We’re pinging Lavasoft (currently closed as they are in Sweden) to find out more.  Different variant or the same one?  We should hopefully know more soon. 



Alex Eckelberry
President

ok, so it boils down to that CWS has gotten a little touchy because of the press. That the FBI and secret service are involved with the investigation. That there are at least one varient of this keylogger fournd by adaware. It appears that they likes of lavasoft, adaware and others in the industry are sharing all the info they have.

Because of the way this keylogger functions firewalls are unable to prevent its activity.

  Fix for the Srv.SSA-KeyLogger

Press release here.

We have issued an immediate security fix to thwart the newly identified spyware keylogger uncovered by Sunbelt’s Research Team. This is the keylogger that is behind the identity theft ring.

The spyware keylogger, named Srv.SSA-KeyLogger, is a backdoor program that, among other things, secretly steals data from users’s internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use html forms to collect personal information.



It is a new variant of a family of existing trojans generally known as Dumaru or Nibu.  We believe Kaspersky has this described as Win32.Dumador.df, but it is doubtful if many other antispyware or antivirus applications have definitions for it (McAfee, Panda and Symantec don’t catch it, but there are a number of AV programs that do, like Kaspersky and BitDefender — and Lavasoft may have the fix).

Update:  Most AV vendors have this thing now.



As we’ve written before, this keylogger was identified as a result of one of Sunbelt’s lead spyware researcher’s earlier discovery of a massive online identity theft ring in which thousands of unsuspecting computer users’ personal data had been compromised.  In a sense, the news is not the keylogger itself--these are a dime a dozen these days.  The news is that it was one of the rare times that a security company has been able to stumble onto such an extraordinary cache of compromised end-user data.



Anyway, to protect users from this harmful keylogger, new definitions are being added for both the CounterSpy and CounterSpy Enterprise antispyware products.



Updates to the consumer edition of CounterSpy are available immediately, while customers of the enterprise edition will receive the updates shortly upon completion of platform testing by Sunbelt.



Protecting yourself against this keylogger: On Thursday, Sunbelt will be offering a free detection and removal tool on its website specifically targeted at this keylogger.



As an alternative, users can immediately download the two week trial version of CounterSpy, which provides free scanning and remediation for this keylogger and a large number of other spyware threats.



More details on the Srv.SSA-KeyLogger will be posted on Sunbelt’s Research Center



Sunbelt is sharing data on the keylogger with other major security companies to insure the industry has the information necessary to react rapidly to this threat.

this should cap everything seen about this.

for more info please check:
http://sunbeltblog.blogspot.com/
http://www.netrn.net/spywareblog/