Tuesday, March 3, 2009

Tigger.A: Sophisticated trojan that likes stockbrokers

Tigger.A: Sophisticated trojan that likes stockbrokers
Customers and employees of firms that trade stocks and options beware, the Tigger.
A trojan is targeting you. Tigger/Syzor is one of the most sophisticated pieces of malware that exists today.
“The trojan uses a privilege escalation vulnerability (MS08-066), which is almost an exact replica of the public exploit on Milw0rm. It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products in unique ways such as posting malformed messages to windows owned by the daemon processes, sending special byte codes over named pipes, and using the products’ own API.”

“It installs a rootkit that runs in safe mode. The rootkit disables kernel debuggers, hooks FAT and NTFS file system drivers, and also prevents other processes from accessing the kernel driver’s memory so tools like GMER and IceSword can’t recover the .sys from RAM.

Tigger of course also injects code into user-mode processes. This component takes screen shots, hooks COM for spying on browser events, and exports passwords (protected storage, network and dial-up, and at least 11 popular chat, email, and remote access applications). It also steals web cookies, steals certificates, and puts the NIC in promiscuous mode to sniff FTP and POP3 passwords.”


More information on http://blogs.techrepublic.com.com/security/?p=960

0 comments:

Post a Comment