The RDV Group InfoSec Blog

Thursday, March 30, 2006

New Trojan Named rootkit.hearse

Sana security was apparently the first to discover a new Trojan rootkit, which they named "Hearse", that sends financial info back to a central server. You can read about it on their site here (pdf).

Evidently the "... malware components work together to capture user information by discovering passwords previously used on the machine. The Trojan communicates with a server where the stolen information is stored. The Trojan is hidden through the rootkit technology and survives reboot, meaning it remains on the machine indefinitely. Types of information that can be compromised include bank accounts, email logins, and insurance information. "

Sana has some great screen shots of the bug. It's not a keylogger, but works a little differently: "... The Trojan does not rely on capturing keystrokes. Instead, it finds previously used account and password information, in particular through the Internet Explorer autocomplete feature. The types of information include any transaction that requires an account: banking, online auctions, insurance, airlines, etc."

The potential for big losses is great, as Sana says: " ... Rootkit.hearse has been active since March 16th, ... The logs contain almost 40,000 records of user account information, spanning 6,500 sites... Sana Labs estimates the number of unique accounts at 20,000."

This is the face of phishes to come. On this blog I've referred to how sophisticated the malware writes/distributors are becoming. While regular virus vandals and spoofed web pages are slowing down, the phishers are getting smarter and more mercenary.

For more info on Sana Security Advisories, look here. And for the latest security news, always go to the RDV Group's RSS Security News Reader.


Post a Comment

<< Home