Trojan kit found

Security teams from anti-spyware vendor Sunbelt Software have discovered a website application instructing hackers on how to build trojans designed to steal personal information.

"It's totally geared at identity theft," said Eric Sites, vice president of research and development for the Clearwater, Fla.-based company. "The trojan is specifically made to steal banking log-in information and to steal (confidential information) you use to purchase stuff online."

Sunbelt researchers located the easy-to-use building kit as they were performing standard studies on a trojan, Sites said, as the variant sent stolen confidential information to the website containing the building program. Authorities have since shut down the website.

"We come across a lot of trojans and a lot of keyloggers," Sites said. "It's pretty rare that we come across almost a commercial quality package for building these things."

About 30,000 variants of the trojan have surfaced since late last summer, Sites said.

Mike Rothman, president of Atlanta-based analyst firm Security Incite, said trojan-building models and tips for hackers are commonplace on the internet.

"If somebody is reasonably motivated, they can get more information than they know what to do with," he said. "All the malware defense guys would be much better suited to make sure their customers can defend what's coming down the pike" than what already exists.

Proceeds from the sale of the building kit went to a foreign-based company called Rat Systems. Its website, ratsystems[dot]org, is closed for maintenance, according to the home page.

The building application consisted of scripts that allowed a malware author to add a URL to receive the stolen data. Also, the building program advised users how to mass email users and hide the trojan from anti-virus programs by modifying the host file.

The trojan has stored keylogger information and also has a feature that transfers money from victims' accounts into e-gold accounts set up by the hacker.

"It's such a nasty virus," Sites said.

Most affected machines don't have the latest updates for their operating systems, he said.

The U.S. Secret Service is investigating the device, Sites said. Calls placed to an agency spokesman were not returned Monday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.