• Date: June 25, 2007
  • Author: Don Jackson

SecureWorks Senior Security Researcher Joe Stewart and I have discovered new, previously undetected variants of the Prg Trojan and several caches of stolen data containing account records for 10,000 corporate and home PC users. The data contains bank and credit card account numbers, credit union account numbers, Social Security Numbers, online payment accounts, and username and passwords (including popular challenge/authentication responses such as a user's mother's maiden name).

What makes the Prg Trojan especially lethal is its techniques for hiding itself from anti-virus software and the hackers behind it, who have the ability to launch new variants at a drop of a hat.

SecureWorks already had countermeasures in place for its clients and immediately notified research partners, anti-virus vendors and law enforcement officials last week upon discovering the new variants. The PrgTrojan was originally found by Michael Ligh (who called it "wnspoem") in October 2006.

Difficult to Detect and Quick to Move
Using its construction kit, the Prg Trojan code is recompiled to hide its "genetics" and the executable file is processed with a new compression and anti-forensics utility called a "packer". The newer variants are also more configurable. They can be programmed via custom options files to deliver data to servers that forward it through a chain of proxies, making it difficult to find caches of stolen data. When data is located, it is always encrypted to keep others from 'leeching' (stealing the data for themselves). New variants of the Trojan have new ways of encrypting that data, making old analysis tools obsolete. New encryption methods must be reverse-engineered from raw machine code.

Additionally, we discovered that the hackers behind the attacks have developed staging areas on servers, where new variants of the Prg Trojan are waiting to be released once the anti-virus software begins to detect the last incarnation of the Trojan's executable code.

New Variants Appearing Faster than Enterprise Anti-Virus Vendors Can Protect Against
Because of the rate at which newly compiled and packed variants are appearing is faster than enterprise anti-virus vendors can develop and distribute new signatures for, a larger than average number of corporate PCs are being affected, thus leaking confidential business information and logins to internal systems to the hackers. This is confirmed through analysis of server log files. Each server not only keeps a register of all known infections, but also a dynamic list of all of the currently active bots.

Prg Trojan Avoids SSL Encryption
We found that the Prg variant, as well as the original wnspoem Trojan, share the ability to sniff sensitive data from Windows internal memory buffers before it's encrypted and sent to SSL-protected web sites. Notably, the latest variant also includes a server that provides attackers with backdoor access to infected computers. It listens on TCP port 6081, waiting for the attacker to connect and issue commands, forward data, or rummage through files. Recently, information provided to the SANS Internet Storm Center (ISC) through their Dshield program -- of which SecureWorks is a participant -- revealed a sharp increase in scans and connection attempts targeting this previously unregistered port number. This could indicate that the attackers are looking for control over each other's botnets, possibly to pool their resources for a large scale attack.

Using the information from these analyses, SecureWorks Research Team was able to not only craft countermeasures to protect its clients from the Trojan, it also enabled the team to track down new "drop zones" and decrypt the stolen data found there. It was on these servers that the new variants were found, waiting to be released when anti-virus software begins to detect them. This discovery is enabling SecureWorks to stay one step ahead of the attackers by analyzing and preparing defenses before new versions are released. SecureWorks is also providing samples of each new variant to anti-virus software vendors so that malware file detection and removal signatures can be developed.

Multiple Hacker Groups Behind Attacks
Research into the origin of this malware revealed that it is being sold to multiple groups who are carrying out attacks simultaneously.

  1. One group names their attacks using the letter "H" and uses e-mail to spam the Trojan to unsuspecting users. Once the user opens the email and clicks on the enclosed link or attachment, they are infected. One of the most recent Prg emails had a subject line reading: "HAPPY FATHER’S DAY, someone special has sent you a greeting." This group's attacks sent data back to servers in the Russian IP address space.
  2. Another group names their attacks after makes of cars ("Ford," "Bugatti," and "Mercedes"), and spread their versions of the Trojan by exploiting vulnerabilities in the ADODB and other components of Windows and Internet Explorer; it reports back to servers in both the United States and China.

The car group alone has claimed more than 6,000 victims in one attack and the stolen data is sitting on a server hosted in China. They also claimed more than 2,000 additional victims and this data was sitting on a server at a major U.S. Web hosting company. A vast majority of victims appear to be based in the U.S. We found yet another 2,000 victims on Friday, June 22 on two additional servers run by a group, identified as blew. The data being stolen by the Prg Trojan includes any sensitive information that a user would normally feel safe entering into a Web site because the browser "padlock" icon indicates it is protected by SSL. However, because of the way this Trojan copies the data before it is encrypted, any data sent to any secure Web site, including:

  • Social Security numbers
  • Bank account numbers
  • Names, street addresses, phone numbers
  • E-mail addresses and messages
  • Usernames and passwords
  • "your mother's maiden name"
  • Sensitive/regulated legal and medical data

... is easily stolen and transmitted directly to the computers run by cyber criminals.

In general, peak infection rates last one to three weeks before operating system patches and anti-virus updates make their way to users' infected PCs. During this time span, attacks using only modestly successful distribution methods -- email or six-month-old browser exploits, for example -- collect more than 1 GB (gigabyte, or approximately one billion characters) of stolen data from infected users' PCs each day.

Other groups, who have purchased this Trojan and its construction kit from the authors on underground forums, are currently carrying out other attacks, each with their own distribution method and drop zone servers. The truth is, nobody knows how many people purchased the Trojan code, how many attacks are underway, and how many are planned. Meanwhile, corporate PCs and home PC users are bleeding sensitive information by the gigabytes.

How to Protect Against the Prg Trojan Variants
Relying on signature-based technologies leaves one vulnerable for a period of time. In addition to the latest operating system and application security patches, behavior-based systems, well-maintained spam filters, and intrusion prevention systems (IPS) can all help prevent the initial infection by new variants.