Threat Management, Incident Response, Malware, TDR

Trojan-to-worm toolkit helps advanced hackers go undetected

Researchers at Panda Labs have discovered a free toolkit that allows users to turn any executable file into a worm.

The tool, believed to originate in Spain, is simple to use and can bedesigned with various functionality, according to Panda. Theapplication, known as T2W, or TrojanToWorm, can be customized to disablecertain operating system components, such as Task Manager, WindowsRegistry Editor and web browsers.

"The scary part is that you can take existing stealth-based malwareand actually make it a worm," Ryan Sherstobitoff, chief corporateevangelist for Panda Security, told on Wednesday. "Nowyou can infecthundreds of desktops. That's the really scary part. Taking somethingthat's already really dangerous and making it self-replicate."

But experts say the application, more than anything, is a deliberatedesign aimed at inexperienced hackers, known as script kiddies, so moresophisticated hackers can continue to fly under the radar and commitsilent but destructive data breaches.

The idea is to create as much noise as possible so corporate ITsecurity departments get distracted dealing with these incidents,Sherstobitoff said. That is why the toolkit -- and many others like it --is being offered for free in underground forums populated by scriptkiddies.

"This is a way to get their real clever attacks unseen for as long aspossible," he said. "They can get away with breaching a Hannaford or aTJX and nobody will notice because they're too busy killing the scriptkiddies who are creating malware."

Even though the toolkit can create a worm, it is unlikely to result ina dangerous threat because most identity-theft malware is "beyond thecapability of a script kiddie," Sherstobitoff said.

Sam Curry, vice president of product management for identity and accessassurance at RSA, said the strategy of creating "noise" has been aroundfor many years but only recently has the motivation turned financial.

"We're seeing a proliferation of a lot of tools," he on Wednesday. "The more noise there is, the lesslikely someone is to get caught. If all the alarm bells in yourbuilding go off at once, where do you send thesecurity guard?"

Curry said many of these toolkits are placed in underground forums,which are created by the most advanced cybercriminals, but frequented bylow-level hackers.

"They think they're hanging with the tough crowd, but they're actuallyjust the stool pigeons and distractions," Curry said. "It's actuallypathetic in a way."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.