SSL Trojans getting ever nastier

Last week’s column on SSL Trojans generated a lot of interest and some new information. First, I must admit to feeling like I’ve been living in a sheltered time warp. Although SSL Trojans are new to me, a little Googling turned up similar Trojans going back as far as 2004.

LURHQ’s description of an E-gold Trojan was an early foreshadowing of things to come. E-gold is an e-cash operation, similar to Paypal. Turns out they’ve been under constant attack from these advanced Trojans for a few years now. 

The E-gold Trojan waits for the victim to successfully authenticate to E-gold’s Web site, creates a second hidden browser session, and uses various spoofing tricks until it drains the victim’s account. Because the stealing and spoofing is started after the authentication is completed, no amount of fancy log-on authentication would prevent the heist. All too telling is LURHQ’s prediction that “other banking institutions are sure to be attacked in this manner in the future.”

After spending a few hours looking at various Web sites, I found dozens of these types of Trojans. What surprised me more is that their appearance is not unknown to most anti-virus companies and anti-malware vendors.

Mark Sunner, CTO of MessageLabs, which processes 160 million e-mails a day, says they’ve been spotting these Trojans since late 2005, but the quantity and specialization is increasing.

“In 2003, the Sobig worm really started the 'worm-to-botnet-for-commercial-profit' generation of malware," Sunner explains. "In 2004 and 2005, it wasn’t unusual to find botnets with hundreds of thousands of infected hosts.” In other words, taking a buckshot approach.

“Since then the criminals have refined their methods," Sunner continues. "The worms and Trojans are one-off malware, intentionally targeting specific companies and industries. Their related botnets are small, maybe numbering a total of 20,000 machines. Their intention is to stay hidden and get as much financial gain as possible. This means staying under the radar. If your bot worm infects 100,000 people in a day, it’s going to get noticed fast and your gain minimized.”

But it’s more than that: Everything the new malware does is more sophisticated. It uses multiple exploits to infect victims, connect out from the victim’s PC using port 80, download code updates from “mothership” Web servers using dynamic DNS, and e-mail the ill-gotten gains (usually over port 80) back home to different servers with changing locations.

I previously took some satisfaction in the Anti-Phishing Working Group's report that the average number of days that a phishing Web site was active was decreasing. That was until I realized this decrease was intentional: The group’s December 2005 report mentions several bank key-logging Trojans with screenshots, proof that the growing presence of key-logging Trojans led to the decreased size of botnets as they try to stay under the radar.