Infected job search sites lead to info theft for 46,000

Researcher says hoards of stolen data swiped by Prg malware

A security researcher at SecureWorks Inc. has uncovered a cache of financial and personal data that was stolen from about 46,000 individuals by a variant of Prg, a Trojan program gaining notoriety for its quick-change behaviors.

The stolen data includes bank and credit card account information and Social Security numbers as well as usernames and passwords for online accounts. Many of the victims were infected and reinfected as they visited several leading online job search sites, including the popular Monster.com.

Don Jackson, the SecureWorks researcher who found the collection, said it was the largest single cache of data he discovered from the Prg Trojan, a piece of malware first seen in the wild in June. According to Jackson, the server he examined is still collecting stolen data, with up to 10,000 victims feeding it information at any particular time.

That server is one of 20 similar servers worldwide that are collecting and storing data stolen by Prg. Twelve of those servers -- including the one with the large data cache -- are being managed by a single hacking group known for naming their attacks after car manufacturers such as Bugatti, Ford and Mercedes, Jackson said.

The "car group's" success in compromising and stealing information from so many individuals is based on two factors, Jackson said. The first factor appears to have been their success in widely distributing the malware. He says the group used online ad aggregation services to place infected ads on job-search services as well as other Web sites, he said.

A user clicking on one of the malicious ads is taken to an exploit page that "fingerprints" the user's browser and then serves up between one and four exploits designed to infect the user's system with the Trojan. From that point on, all information the user enters into the browser is captured and sent off to the hacking group's servers, Jackson said.

The other reason for the widespread compromises is the group's sheer industry -- they've been releasing a new variant of the Trojan every five days to a week, on average, and sometimes even quicker. Antivirus tools are having a hard time keeping up with the variants, Jackson said, so infections are going undetected for several weeks in many cases. Many of those whose data has been stolen appear to have been infected multiple times by successive variants of the Trojan.

A number of Prg variants are known to operate in part by opening up Port 6081 on victims' computers and listening for connections there. Almost no legitimate programs are known to use 6081; some experts suggest that concerned parties looking to cut Prg off at the knees might start by blocking inbound and outbound traffic on the port. If a Prg infection on your machine is undetectable by your anti-virus package but you detect the malware's characteristic activity on Port 6081, your computer will need to be booted into Safe Mode and another scan will need to be run.

If that fails, manual removal or reinstalling the operating system may be necessary. Symantec, which refers to the malware as Trojan Infostealer.Monstres, has posted additional info on how to detect and remove the threat.

Prg appears to be a variant of a somewhat older Trojan known as wnspoem, discovered last October. Like the earlier model, Prg is designed to sniff sensitive data from Windows internal memory buffers before the data is encrypted, which means that the malware can circumvent SSL security measures. When SecureWorks researchers noted back in June that a Prg construction kit was making the rounds, the data caches they analyzed contained a remarkable amount of information from corporate PCs -- indicating perhaps that attackers are now expanding their focus.

It's not entirely clear how the stolen information in the latest attacks is being used, but Jackson says that the kind of data that the Trojan has cached seems to indicate that the data is being stolen for identity theft purposes.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon