-{ Quote: "Anti-spyware vendor Sunbelt plans to release a free tool to zap a sophisticated keystroke logger being used by an organized ring of identity thieves." }-
Article (http://www.eweek.com/article2/0,1759,1847427,00.asp?kc=EWRSS03119TX1K0000594)

More (http://www.techweb.com/showArticle.jhtml?articleID=168600896)

Hi all

Interesting read.....

http://news.bbc.co.uk/1/hi/technology/4173218.stm

Apologies...Tried to copy and paste the link (BBC News Website) but just got the web location text. So a question to the Forum members (being a newbie an' all) is how is this done ?

Cheers

ftwyyne59

I wonder if ProcessGuard could stop this type install?

controler

I couldn't see how pg would block a trojan (drive by download) if it doesn't have a service to block...

it would be nod32 or ewido on my machine stopping the trojan ...

I have been infecting myself for a while now and I haven't seen pg doing anything about any infection unless it would be a rootkit or stopping some code injection but the actual trojan wasn't stopped...

I have been reading a story from Paperghost and I must say I see some comparision with the BBC story and PPG's own crusade against spyware .. some server collecting ... some server infesting .. and very hard to find such server.

grtz.

-{ Quote: "I wonder if ProcessGuard could stop this type install?" }-I would hope so, if its anti-execution protection is working.

The article states that the trojan is a variant of dumaru. From the Semantic site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y@mm.html

------------------------
Copies itself as these files: %System%\l32x.exe %System%\vxd32v.exe %Startup%\dllxw.exe
------------------------

As soon as the trojan attempts to copy/load the .exe, PG should alert. This would probably be the keylogger referred to.

Other types of protection should also catch it:

----------------------------
Adds the value:

"load32"="%System%\l32x.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.
----------------------------------------------------

If you have a registry monitor of sometype, this action would be blocked.

If you have a lock-down program, all would be erased on reboot before the worm could run.


-rich
________________
~~Be ALERT!!! ~~

the execution protection should protect the exe from executing yes that's true.

It turns out that the worm installs the keylogger, Srv.SSA-KeyLogger in a similar way as the dumaru worm , and easily prevented by any program that catches keyloggers:

http://research.sunbelt-software.com/Advisory.cfm

Also, as mentioned in another post, tweaking IE helps!


-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "
Also, as mentioned in another post, tweaking IE helps!
" }-
I'm sure not using IE would help even more.

ID theft ring escapes shutdown (http://news.bbc.co.uk/1/hi/technology/4186972.stm)

-{ Quote: "An ID theft ring that has hit thousands of people is proving hard to shut down.
Discovered by US security fim Sunbelt Software, the scam used keyloggers to steal data stored by Microsoft's Internet Explorer browser.

Variants of the original bug are popping up and sending data to other servers and are continuing to harvest data from unwitting victims' machines.

Tools are now appearing to help people find out if they are infected and to remove the sophisticated bug." }-