Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Chapter 11: Data Stealing Trojans

Introduction to data stealing Trojans

Data-stealing malware was known since the beginning of PC-era when keyloggers first appeared. But it resurfaced on a new level in a form of Trojans installed from malicious or infected Web sites in early 2000. Most were designed to capture your financial transactions with the bank.

The main rational was to steal money from checking accounts. In 2004 Bob Sullivan, a technology correspondent of MSNBC noted (Survey 2 million bank accounts robbed June 14, 2004):

But phish isn't the only way criminals gain access to online bank accounts, according to industry experts. Computer criminals are becoming increasingly proficient at writing Trojan horse programs and keyloggers that steal passwords and account information. Such secret malicious programs, which exerts say are more widespread than many realize, could be the cause of up to half the account takeovers, Litan speculated.

Such programs can be installed on home users' computers through virus-laden e-mails. People who do their online banking at public computers, such as at Internet cafes, are also at risk from this kind of password swiping.

The Gartner survey found that more than 4 million consumers reported suffering checking account takeovers at any time during recent years, with half that number saying it had happened in the most recent 12-month span -- indicating a sharp increase in the activity.

There is also new, more complex generation of this type of malware with some of them are probably created with government support or in government labs. See for example Flame.

Although this code eventually will be reused in criminal worlds right now this is not the case and we can concentrate on malware which is designed to steal financial information.  That might help to make you online banking more secure as using the same computer for Web browsing as you use for online banking is definitely unsafe.

Data Stealing Trojans can also be installed by close to you people who are interested in monitoring your activities. There is a class of data stealing Trojans that is produced as a part of computer monitoring software targeted to police, large enterprises and zealous spouses ;-). One example is Investigator, a product of WinWhatWhere, a small  company in Seattle (Webcam spying goes mainstream):

Not long ago, software that sneakily turned on Webcams and captured video of someone sitting at a computer would be dismissed as a tool for hackers and voyeurs. This week, a Seattle-based software developer will begin bragging about that feature and many others as it releases a bold update to its computer monitoring software. Emboldened in part by the events of Sept. 11, WinWhatWhere president Richard Eaton no longer feels like he has to apologize for his software; and privacy advocates no longer seem quite as ready to dismiss products like his.

WINWHATWHERE HAS BEEN helping employers, police officers, and even suspicious spouses spy on their suspects’ computer work since 1993. The company’s Investigator product can watch and record every keystroke typed into a computer, and can even secretly e-mail the results across the Internet.

That’s not new; what’s new is the firm’s no-apologies stance to the software’s capabilities, which will become even more intrusive with this week’s release of version 4.0. In fact, WinWhatWhere is bragging about it — in a press pitch, the company’s PR firm boasts of a coming “new set of controversial features.”

 “I was like the conflicted programmer. For years, I used to be apologetic about it,” said WinWhatWhere president Richard Eaton. “But I’ve come around. It does have legitimate uses for investigators. With companies, it is their computer. I don’t think there’s anything inherently sacred about a computer terminal.”

Eaton’s assertions ring very differently in a post-Sept. 11 world — a world where we know terrorists can use remote, anonymous computers to plot heinous acts of murder, and where law enforcement agencies say they need to be on equal footing. The discussion has emboldened Eaton, who has in the past expressed mixed feelings and even regrets about some of the missions his software had been deployed in.

So, while two years ago he nixed the idea of allowing remote control of an unknowing “victim’s” Webcam, he’s now implemented the feature.

 “I fought it two years ago, because I could see no legitimate no usage for it,” he said. “But now I see you use it to confirm who’s typing on the computer while you are capturing keystrokes, so it’s in there.”

Employers have a legitimate right to expect employees to put in a full day’s work for the paycheck. An employee, however, deserves some “down time” without feeling like every trip to the restroom is being digitally chronicled and stored in some electronic file.

Unless the company you work for specifically states otherwise, your boss may listen, watch and read your workplace communication.

In most instances, yes. For example, employers may monitor calls with clients or customers for reasons of quality control. Federal law, which regulates phone calls with persons outside the state, does allow unannounced monitoring for business-related calls. (See Electronic Communications Privacy Act, 18 USC 2510, et. seq.)

An important exception is made for personal calls. Under federal case law, when an employer realizes the call is personal, he or she must immediately stop monitoring the call. However, when employees are told not to make personal calls from specified business phones, the employee then takes the risk that calls on those phones may be monitored.

Yes. Telephone numbers dialed from phone extensions can be recorded by a device called a pen register. It allows the employer to see a list of phone numbers dialed by your extension and the length of each call.

Generally, yes. Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees.

Employees are given some protection from computer and other forms of electronic monitoring under certain circumstances. Union contracts, for example, may limit the employer's right to monitor. If an employer states in a written document that they do not monitor their employees, they are bound by that agreement, with some limited exceptions.

Most computer monitoring equipment allows employers to monitor without the employees' knowledge. However, some employers do notify employees that monitoring takes place. This information may be communicated in memos, employee handbooks, union contracts, at meetings or on a sticker attached to the computer.

In most cases, no. If an electronic mail (e-mail) system is used at a company, the employer owns it and is allowed to review its contents. Messages sent within the company as well as those that are sent from your terminal to another company or from another company to you can be subject to monitoring by your employer. The same holds true for voice mail systems.

No. Electronic and voice mail systems retain messages in memory even after they have been deleted. Although it appears they are erased, they are often permanently "backed up" on magnetic tape, along with other important data from the computer system.

LAW ENFORCEMENT-FRIENDLY 

The new version of the software, which costs $150, also includes so-called “Scarfo friendly” features which accommodate the sometimes awkward requirements of law enforcement agencies in pursuit of admissible evidence.

Nicodemo Scarfo was arrested for loan sharking in 2000 after FBI agents installed key-logging software on his machine. In order to not run afoul of wire-tapping laws, the software was programmed to shut down if Scarfo connected to the Internet — since the FBI had not obtained a court order which allowed monitoring of telephone communications.

WinWhatWhere can also shut itself off if an Internet connection is detected; or it can turn on only when a certain key phrase is typed in, thereby activating the narrow terms of a search warrant.

WinWhatWhere’s relationship with the FBI earned the software company great notoriety two years ago when it was used by agents who had lured two infamous Russian hackers to the United States. But in fact the software is really a small player in the market, according to Andrew Schulman, chief researcher of the Privacy Foundation. In a study released last year, Schulman discovered that one in four U.S. workers are monitored in some way, but generally companies use software that is much less intrusive than WinWhatWhere. Only about 15,000 corporate desktops have WinWhatWhere watching employees, Schulman says. The company says it’s sold 200,000 licenses for the product.
      
MONITORING MORE PALATABLE

Still, the software is important because it pushes the envelope on monitoring technology and is a lightning rod for debate on the emotional topic. And right now, Schulman said, monitoring software — like all security measures — seem more palatable then they once did.

 “And I’m not quite sure why,” he said. “Before Sept. 11 there were all sorts of laudable law enforcement goals, too.”

And yet, Schulman concedes, U.S. law enforcement’s ability to quickly collect images of terrorists as they made withdrawals from ATM machines or walked through airport security have amounted to an impressive demonstration of the value of monitoring technologies.

 “The big story about workplace surveillance is that more and more of what we do gets recorded somewhere, and that has both negative and positive aspects to it,” he said. “After Sept. 11, we’ve all seen pictures of Mohammed Atta at an ATM, about to get on an airplane. And when those pictures were taken, no one knew Atta or any other terrorists. The fact that everyone using an ATM has their picture recorded and can be found later in an investigation, that’s where WinWhatWhere fits in.”
      
WORKS IN INTERNET CAFES

Eaton argues that law enforcement agents frustrated by criminals using technology to gain the upper hand deserve help, and his software provides it. For example, public Internet cafes provide near-perfect anonymity for criminals looking to evade avoid law enforcement and cover their tracks. But armed with his software, corporate investigators recently napped a criminal making e-mail threats against a U.S. corporation from just such a cafe in India — because the cafe agreed to install the software on every computer to watch for the suspicious writer.

Without the software, catching the criminal would have been nearly impossible, Eaton said.

But privacy expert Richard Smith, who now operates ComputerBytesMan.com, is worried use of the software in a public place like a cafe probably sacrificed the rights of many to hunt the trail of one.

“Sounds like there were plenty of innocent people who got listened in on,” Smith said.

That’s why WinWhatWhere can turn itself on or off, and even uninstall itself, counters Eaton.

STILL UNSAVORY USES

But even as he claims the product will only improve and conform to limited uses allowed within the rules of evidence, he admits the product still has unsavory applications — like spouses spying on each other. Only 60 percent of WinWhatWhere customers are corporations or law enforcement, and Eaton estimates about half the remainder are home users.

“I don’t like it. I have no use for that purpose,” he says, a bit sheepishly. “When I hear from these people, I tell them your money is better spent on counseling. If you are sneaking into your wife’s laptop, shame on you.

“But,” he sheepishly concedes, “We do cash their checks.”

Even in this unsavory arena, Schulman concedes there seems to be a growing voice that is willing to re-balance the scales of privacy and safety. With the admiring tone of one describing a respected, worthy opponent, Schulman echoed the position maintained by David Brin in the book “The Transparent Society” during a recent interview with MSNBC.com.

“We may be headed for a golden age of accountability,” Schulman said. “It’s possible the erosion of privacy is a good thing ... Maybe ‘A man’s home is his castle,’ just gives men the right to beat their wives.

“Well, Richard Eaton is bringing us there. Whether, ‘there’ is a good place or not is just not clear to me.”

There is also hardware keyloggers that can be installed or even preexists (installed by default) on your laptop (keyloggers_in_dell_laptop.shtml),

Recently Trojans that try to steal account and password for online games appeared. See Trojan-GameThief.Win32.OnLineGames2.an (also known as kiaqus by the name of one of the files kiaqus.exe

And as if we do not enough of troubles without government involvement two government sponsored worms that propagate via USB sticks and local networks also were found in the wild (Flame and Duqu).

While chances to be infected by them for a regular Joe User is cloze to zero, the methods used even if hypothetical will be reused by financial fraud artists and other con artists leading to a new stage of malware development for Windows OS. And that's is not a good prospect...

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019