Security Watch : Don't get burned by viruses and hackers.
Beware of keystroke-logging RATs
E-mail to a friend
Send us feedback
By Robert Vamosi 
Senior associate editor, CNET Reviews
June 7, 2004

Robbing a bank used to involve risk of serious physical harm. Now, bandits may develop carpal tunnel syndrome, but that's about it. Without leaving the house, a criminal hacker, or cracker, can create a Trojan horse to clear thousands of dollars in fraudulent bank transactions.

Trojan horses are little programs that promise one thing--say, a smiley face cursor--but do another--for example, record every keystroke you make or every Web site you visit. Remote access Trojans (RATs) open a port on your computer, sharing your personal login passwords with crackers from around the world. It's the keystroke-recording RATs that are wreaking havoc these days.

If you think there are a lot of viruses out there, you're right. But there are even more Trojans floating around the Internet. Most recent updates listed on the Sophos antivirus software site, for instance, are for new Trojans, not new viruses.

If you think there are a lot of viruses out there, you're right. But there are even more Trojans floating around the Internet.
One reason for the exponential growth of Trojans is their ability to capture specific information. The group HangUp Team, located in Russia, openly advertises its programming services, claiming that they will custom design a keystroke-logging RAT to defraud the bank or credit card company of your choice. Why target banks? Because that's where the money is.

According to the antivirus software vendor F-Secure, the Russian HangUp Team may have engineered a recent spate of low-threat viruses known as Korgo. The Korgo virus opens a back door on your computer, then downloads the Padobot keystroke-logging RAT that captures your personal login information, and after you've completed your session, sends the information to a cracker. The cracker, posing as you, then logs in and makes a very large withdrawal from your account.

Viruses containing account-stealing Trojans have been tried before, mostly in Europe. Korgo is different, however, in that, like Sasser and MSBlast, it runs automatically on Windows 2000 and XP machines connected to the Internet that are vulnerable to the LSASS buffer overrun vulnerability--you don't even have to open e-mail or an attached file to become infected. If you've updated your Windows OS since April 13 with the latest security patches, you should be protected; if you haven't patched your system yet, you should do so now.

Follow the money
There have been attempts to thwart these criminals. International banking laws make it difficult for foreign thieves to transfer large sums of money from an account in one country to an account in another country; this helps protect against phishing scams, too. As a result, it's not easy for someone overseas to automatically transfer your money into their accounts.

The group HangUp Team, located in Russia, openly advertises its programming services, claiming that they will custom design a keystroke-logging RAT to defraud the bank or credit card company of your choice.
So the crackers now recruit people in the targeted country to act as middlemen. Literally, they take out help-wanted ads. Once hired, the middlemen are asked to open an account with a specific local bank. The overseas cracker transfers sums of money to the middleman's local bank account. After taking a salary (a predetermined percentage), the middleman wires the balance of the money to an overseas bank account.

Using a middleman affords the criminals another layer of protection. When the FBI or Interpol comes knocking, it's usually the middleman they arrest, not the true criminal overseas.

Cutting-edge protection
To protect their online bank accounts, the Swiss are now providing bank customers with minicalculators. These customers simply type a password into the minicalculator, which is synchronized with a central server, to randomly generate a second password, one that's good only for that one banking session. Anyone stealing the calculator will not be able to use it unless they also steal your password. I think such two-factor authentication schemes will become common soon, and will be the ultimate solution to these keystroke-logging RATs.

Until then, there's always the good ol' antivirus and firewall combo. I got a lot of e-mail on last week's column for not mentioning PC-cillin Internet Security 2004 in our annual roundup of Internet security suites. I don't consider PC-cillin a security suite, but, yes, it is also a very fine antivirus/firewall combination.

Got a security question? Let me hear about it!




5/31/04
A sweet new security suite
The new ZoneAlarm Security Suite shakes up the all-in-one security software market and puts Norton and McAfee on notice. See why Robert Vamosi thinks this is good for us all.

5/24/04
Is your PC a spam factory?
A new worm streamlines the process by which spam operators use virus-infected computers to relay their direct marketing messages. Robert Vamosi thinks this could be a trend.

5/17/04
Have we seen the end of Sasser?
Despite the arrest of one individual in Germany, Robert Vamosi thinks the hunt for the true authors of the Netsky and Sasser viruses should go further.

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.