Sunbelt Adds Detection for ID Theft Keylogger

ID Theft Spyware Scam Uncovered

Hi all

Interesting read.....

http://news.bbc.co.uk/1/hi/technology/4173218.stm

Apologies...Tried to copy and paste the link (BBC News Website) but just got the web location text. So a question to the Forum members (being a newbie an' all) is how is this done ?

Cheers

ftwyyne59

 

Re: ID Theft Spyware Scam Uncovered

I wonder if ProcessGuard could stop this type install?

controler

 

Re: ID Theft Spyware Scam Uncovered

I couldn't see how pg would block a trojan (drive by download) if it doesn't have a service to block...

it would be nod32 or ewido on my machine stopping the trojan ...

I have been infecting myself for a while now and I haven't seen pg doing anything about any infection unless it would be a rootkit or stopping some code injection but the actual trojan wasn't stopped...

I have been reading a story from Paperghost and I must say I see some comparision with the BBC story and PPG's own crusade against spyware .. some server collecting ... some server infesting .. and very hard to find such server.

grtz.

 

Re: ID Theft Spyware Scam Uncovered

I would hope so, if its anti-execution protection is working.

The article states that the trojan is a variant of dumaru. From the Semantic site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.y@mm.html

------------------------
Copies itself as these files: %System%\l32x.exe %System%\vxd32v.exe %Startup%\dllxw.exe
------------------------

As soon as the trojan attempts to copy/load the .exe, PG should alert. This would probably be the keylogger referred to.

Other types of protection should also catch it:

----------------------------
Adds the value:

"load32"="%System%\l32x.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.
----------------------------------------------------

If you have a registry monitor of sometype, this action would be blocked.

If you have a lock-down program, all would be erased on reboot before the worm could run.


-rich
________________
~~Be ALERT!!! ~~

 

Re: ID Theft Spyware Scam Uncovered

the execution protection should protect the exe from executing yes that's true.

 

It turns out that the worm installs the keylogger, Srv.SSA-KeyLogger in a similar way as the dumaru worm , and easily prevented by any program that catches keyloggers:

http://research.sunbelt-software.com/Advisory.cfm

Also, as mentioned in another post, tweaking IE helps!


-rich
________________
~~Be ALERT!!! ~~

 

I'm sure not using IE would help even more.

 

ID theft ring escapes shutdown