In late June, SecureWorks Senior Researcher Joe Stewart and I discovered new, previously undetected variants of the Prg Trojan (see Prg Trojan). This week, I uncovered the largest, single cache of stolen data from the Prg Trojan. The Trojan, also called wnspoem, was originally discovered by Secure Science and analyzed by Michael Ligh in November 2006. The data, which includes bank and credit card account information, SSNs, online payment account usernames and passwords and other personal information, is from 46,000 victims who were all individually infected.
The infection began in early May. The victims are being infected and reinfected by ads on various online job sites. The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan.
Thus, when a user views or clicks on one of the malicious ads, their PC is getting infected and all the information they are entering into their browser (including financial information being entered before it reaches the SSL protected sites) is being captured and sent off to the hacker's server in Asia Pacific. This server is still collecting stolen data and at any one time, we are seeing 9,000 to 10,000 victims sending information to the server.
When I first discovered this large cache of data, I couldn't figure out how the hackers were compromising so many websites, and as a result, infecting so many victims.
However, when I uncovered the Trojan-injected advertisements, it made total sense. These job sites get quite a bit of traffic so it is no wonder that the hackers are having such success. Not only is SecureWorks seeing a large infection rate among victims but they have found that many of the victims are being reinfected, causing them to have chronic infections of the Prg Trojan.
PC users are visiting these job sites and viewing these ads. They are then getting infected and two to three weeks later (after the hacker has captured their information) their anti-virus is catching the Trojan and wiping it off their PC. However, they are then going back to these online job sites, clicking or viewing another malicious ad and getting reinfected by the latest variant.
The hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker.
Anti-virus is having a hard time keeping up with so many variants, so infections are going undetected for several weeks, and although it might eventually get cleaned off the user's machine, many of them are getting reinfected by a totally new, undetectable variant, and the infection cycle starts all over again.
How to Detect if Your Computer is Infected
Computers infected with the Prg Trojan will have a backdoor proxy server listening for connections on port 6081. This port is not assigned to legitimate services and is not hidden by the rootkit functionality. If port 6081 is open on your computer, you are likely infected with the Prg Tojan. If anti-virus is not detecting the infection, then you will need to boot the computer into Safe Mode and run another scan. If that fails, manual removal or reinstalling the operating system may be necessary.
CTU Research Incident Response and Management Information Security Intelligence Risk Management