Fake Windows XP activation trojan goes 2.0

Fake Windows XP activation trojan goes 2.0

Summary: Known as Kardphisher and "in the wild" since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

SHARE:

Fake Windows XP activation trojanKnown as Kardphisher and "in the wild" since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

Fake Windows XP activation trojanTheir credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate. Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. Moreover, a bogus "verified by Visa" message that is also requesting social security number and a date of birth makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonating Microsoft.

Fake Windows XP activation trojanThe latest Kardphisher may indeed by filling in all the gaps from the previous version, but the trojan can never scale as efficiently as crimeware "in the middle" does for the time being. Among the main growth factors for the increasing number of such malware remains the fact that throughout the entire year proprietary crimeware kits costing several thousand dollars on average started leaking out, allowing many new entrants to start using what once used to be a highly exclusive tool in the arsenal of the experienced cybercriminal.

Topics: Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

134 comments
Log in or register to join the discussion
  • Why are you advertising the merits of a trojan?

    This whole blog post reads like an ad, it almost sounds like you're bragging about how improved the latest version of the trojan is.
    T1Oracle
    • Re: Why are you advertising the merits of a trojan?

      Well, it's indeed improved that's why it goes 2.0, and you're supposed to be aware of how the latest version looks like and what it does, in order to be extra vigilant until the major AV vendors add detection rates for it.

      As long as you don't known its real name, but the AV allias, as well as where to obtain it from, you're responsibly informed on the latest developments related to it.
      ddanchev
      • Or, you can switch to an Open Source OS.

        This scheme couldn't work with an OS that doesn't require activation...
        914four
        • Don't try to turn this into a MS thing

          This is not a Microsoft thing, it is a social engineering thing. During Windows Activation, you are never asked for any information (although you are asked if you want to REGISTER) and anyone who legally obtained AND activated their own software would know that.

          This comes down to the average computer user is just oblivious to things like this and the (Trojan) writer is hoping to catch a few gullible people with it.

          The same type of thing could happen to any Mac user or Linux user with a different type of application. It only makes sense to target Windows users based on sheer numbers and that is what the less suspecting individuals use.

          Just an FYI, more and more grandma's and grandpa's are getting mac's so you may see this type of thing start appearing on Mac in the future too.
          Linux, let's be realistic, unless you live in a community where everyone wears a beanie on top of their head with a propeller on it, they don't use Linux in mass. I use Linux but would never expect my elderly parents or grandparents to use it.
          riveroad
          • Ahh... Yes it is a Microsoft thing.

            Windows and it's approach to security came from Microsoft DOS. IE Any program can do anything it want to to any device or program on the machine because all users have administrator rights. This can NOT be patched out!! It will require a complete turn around in windows OS/application programming culture. Do you realize how many applications will not run in MS Windows with only user rights?!?! I do.

            Linux, MAC OS-X, UNIX were designed with security from the beginning! Users only have user rights! Users are NOT administrators/root! Applications must be written with this in mind.

            Yes the Trojan is social engineering, but it would not be allowed to install if the user did not have administrator rights!
            BilboRT
          • Let's try this yet again

            An effective trojan does NOT need admin rights.

            Remember MyDoom? That could easily be written in perl and be portable across all *nix platforms.
            rpmyers1
          • Rofl RUNNING programs is MS problem

            Linux boy got jacked...

            Let the open source geek keep his dream.

            Yeah running anything on open source is perfectly safe.

            the problem is no one uses linux except dorks :)
            mikes2nd
          • Nice reply rpmyers1!

            Hah, nice one.
            No doubt, an exploit is an exploit. (I used to code perl in the old days)
            It is just less likely to exploit open source cuz nobody is using it and not worth the bother for the malware community to write against it, unless they only want to get one or two credit cards.
            Oh, wait, there would be no credit cards, there is never any money exchanged in open sourceville!
            cudos2u
            10W1V1
          • That's because Windbloze users...

            Are too dumb to learn it... They've been programmed by the Gates Borg for too long.

            [i]"the problem is no one uses linux except dorks"[/i]
            hasta la Vista, bah-bie
          • More accurately...

            An effective trojan in WINDOWS does not need admin
            rights.

            The *nix security subsystem in every iteration of the *nixes
            requires root for similar installs. Otherwise they're just
            files sitting on the filesystem doing nothing. There is no
            such thing as a self-installing *nix virus.

            Even the last trojan that PCWorld spouted about OS X (a
            BSD Unix iteration) required administrative privileges to
            install. Even your MyDoom scenario would still result in
            something no more dangerous than spyware for that ONE
            user and only when they're logged on and only when they
            activate it.

            All of the worst M$ malware were self-installers and self-
            replicators.
            MKleinpaste
          • Re: Ahh... Yes it is a Microsoft thing

            because all users have administrator rights

            What?? Are you sure?? All users have USER rights. You grant them Administrator rights or use Run as... to run in administrative mode.

            In Linux you can grant a user root access or use sudo.

            You need some training!!
            Some guy_z
          • No! In Linux you never grant the user Administrator rights

            Only root has administrator rights, and those rights are never given to the user.

            a user may switch user, within the context of a spectific application, for example Konsole or drakconf (Mandriva) or sudo, to root (Administrator), but the user is never given administrator (root) privilages.

            You need some education.
            tracy anne
          • If you do that...

            ...then you deserve what you get...

            [i]"In Linux you can grant a user root access or use sudo."[/i]
            hasta la Vista, bah-bie
          • guy_z, that'd be equivilent to..

            ..using Windows.

            =/
            AzuMao
          • clue_less

            clearly you have no idea what you are talking about.
            wargammer2005
          • But this IS a Microsoft thing.

            *nix systems don't have anything resembling the raconian activation processes of MIcrosoft, so this social engineering attack would be completely useless on them, REGARDLESS of the technical side (i.e. good luck locking the user out of his own system on *nix).
            AzuMao
          • Clueless...

            Quote:" Linux, let's be realistic, unless you live in a community where everyone wears a beanie on top of their head with a propeller on it, they don't use Linux in mass."

            I have Mexican Field workers using Xandros and Open Office on Asus EeePC's gathering Data. They use to do it writing on paper. They had NO computer experiance other than an old HP200LX.

            Anyone can use Linux. And it is harder for them to screw it up. I am slowly shifting the whole company to Linux and Open Office. Bye Bye Microsoft!
            agohige
          • Grandma's & Grandpa's?

            I am a 66 year-old "grandpa". I have not and probably never will fall victim to any of these schemes, because I am intelligent and knowledgeable enough to exercise a few simple rules of personal data disclosure. I cannot believe that very many other "grandpa's & grandma's" of reasonable intelligence fall victim to such scams. Those of us who are long in the tooth have the distinct advantage of having achieved a bit of wisdom that comes only from years of experience.

            The reason "elderly" people appear in news stories about internet scams and schemes is that we are generally mature enough to admit that we have done something stupid, whereas the young "God I'm so savvy I squeak" Turks would rather die than let anyone know they've been had.

            Just my $0.02 worth. :-)

            Tom Weeks
            tomweeks@...
          • From Grandma

            Bravo on your great statement! I'm 77 and certainly wise enough AND knowledgeable enough not to fall for these things. I think you're absolutely correct when you say older people are not afraid to admit errors whereas the young don't want to admit it (generally) when they've made a drastic mistake. My sympathy goes out to those who seem to believe old age brings stupidity.

            Jody
            pokyjo
          • Too True

            My granddad uses his computer purely for checking a few things on the web and the occasional printing. He may be unsure of what some things mean when XP throws up the odd error message, but he doesn't want to know the technics (like most users of comptuers in general).

            But overall, most young people are less tech savvy than older people, mainly due to experience. For example, people who have watched IT develop and take over our lives, treat it with the respect it deserves. Young people take it for granted and are often arrogance with security.

            This I have seen to be true, correct me if i'm wrong.
            rm.squires@...