Identity Theft Ring Used a Powerful Keyboard Logger

Last week we reported that Sunbelt Software uncovered an identity theft ring. This week we learned how that ring managed to gather so much sensitive information.

Sunbelt CEO Alex Eckelberry said the company finally were able to directly examine an infected machine. What the company discovered was, in Eckelberry's own words, "the keylogger from hell." Eckelberry also said the keylogger, which Sunbelt has named Srv.SSA-Keylogger is probably based on Dumador variety of Trojans. 

The keylogger has a small footprint, runs under Internet Explorer, disables Windows Firewall, steals data from the Windows clipboard, and gathers login and password information from a wide range of applications including Webmoney, Far Manager and Total Commander. The keyloggers also modifies a user's host file to prevent access to security vendor sites so that people cannot obtain updates to their detection and protection packages.

The keylogger is also capable of gather information from Windows Protect Storage area of the registry, which is used by Internet Explorer to store Web site login information. Various tools and source code packages are available that can be used to navigate and display the Protected Storage area, and apparently spyware developers have integrated this type of capability functionality into malware.

The obvious solution to that problem is to disabled AutoComplete in Internet Explorer, which can be accomplished by selecting the Tools menu, then Content, then AutoComplete where you can disable the feature and erase any data already stored by the browser.

Keep in mind that a firewall might not prevent such keyloggers, especially if they attach themselves to processes that are allowed to move traffic in and out of the firewall. Other protection is necessary, not the least of which are sensible Internet usage habits along with powerful anti-spyware packages.