madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Fake Windows XP activation trojan goes 2.0

By | November 18, 2008, 7:23pm PST

Summary: Known as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens [...]

Fake Windows XP activation trojanKnown as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

Fake Windows XP activation trojanTheir credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate. Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. Moreover, a bogus “verified by Visa” message that is also requesting social security number and a date of birth makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonating Microsoft.

Fake Windows XP activation trojanThe latest Kardphisher may indeed by filling in all the gaps from the previous version, but the trojan can never scale as efficiently as crimeware “in the middle” does for the time being. Among the main growth factors for the increasing number of such malware remains the fact that throughout the entire year proprietary crimeware kits costing several thousand dollars on average started leaking out, allowing many new entrants to start using what once used to be a highly exclusive tool in the arsenal of the experienced cybercriminal.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Cybercrime, Crimeware, Social Engineering, Windows XP, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 134 Talkback(s)

  • Why are you advertising the merits of a trojan?
    This whole blog post reads like an ad, it almost sounds like you're bragging about how improved the latest version of the trojan is.
    ZDNet Gravatar
    T1Oracle
    19th Nov 2008

  • ZDNet Blogger

    Re: Why are you advertising the merits of a trojan?
    Well, it's indeed improved that's why it goes 2.0, and you're supposed to be aware of how the latest version looks like and what it does, in order to be extra vigilant until the major AV vendors add detection rates for it.

    As long as you don't known its real name, but the AV allias, as well as where to obtain it from, you're responsibly informed on the latest developments related to it.
    ZDNet Gravatar
    ddanchev
    19th Nov 2008
  • Or, you can switch to an Open Source OS.
    This scheme couldn't work with an OS that doesn't require activation...
    ZDNet Gravatar
    914four
    19th Nov 2008
  • Don't try to turn this into a MS thing
    This is not a Microsoft thing, it is a social engineering thing. During Windows Activation, you are never asked for any information (although you are asked if you want to REGISTER) and anyone who legally obtained AND activated their own software would know that.

    This comes down to the average computer user is just oblivious to things like this and the (Trojan) writer is hoping to catch a few gullible people with it.

    The same type of thing could happen to any Mac user or Linux user with a different type of application. It only makes sense to target Windows users based on sheer numbers and that is what the less suspecting individuals use.

    Just an FYI, more and more grandma's and grandpa's are getting mac's so you may see this type of thing start appearing on Mac in the future too.
    Linux, let's be realistic, unless you live in a community where everyone wears a beanie on top of their head with a propeller on it, they don't use Linux in mass. I use Linux but would never expect my elderly parents or grandparents to use it.
    ZDNet Gravatar
    riveroad
    19th Nov 2008
  • Ahh... Yes it is a Microsoft thing.
    Windows and it's approach to security came from Microsoft DOS. IE Any program can do anything it want to to any device or program on the machine because all users have administrator rights. This can NOT be patched out!! It will require a complete turn around in windows OS/application programming culture. Do you realize how many applications will not run in MS Windows with only user rights?!?! I do.

    Linux, MAC OS-X, UNIX were designed with security from the beginning! Users only have user rights! Users are NOT administrators/root! Applications must be written with this in mind.

    Yes the Trojan is social engineering, but it would not be allowed to install if the user did not have administrator rights!
    ZDNet Gravatar
    BilboRT
    19th Nov 2008
  • Let's try this yet again
    An effective trojan does NOT need admin rights.

    Remember MyDoom? That could easily be written in perl and be portable across all *nix platforms.
    ZDNet Gravatar
    rpmyers1
    19th Nov 2008
  • Rofl RUNNING programs is MS problem
    Linux boy got jacked...

    Let the open source geek keep his dream.

    Yeah running anything on open source is perfectly safe.

    the problem is no one uses linux except dorks happy
    ZDNet Gravatar
    mikes2nd
    19th Nov 2008
  • Nice reply rpmyers1!
    Hah, nice one.
    No doubt, an exploit is an exploit. (I used to code perl in the old days)
    It is just less likely to exploit open source cuz nobody is using it and not worth the bother for the malware community to write against it, unless they only want to get one or two credit cards.
    Oh, wait, there would be no credit cards, there is never any money exchanged in open sourceville!
    cudos2u
    ZDNet Gravatar
    10W1V1
    19th Nov 2008
  • That's because Windbloze users...
    Are too dumb to learn it... They've been programmed by the Gates Borg for too long.

    "the problem is no one uses linux except dorks"
    ZDNet Gravatar
    hasta la Vista, bah-bie
    20th Nov 2008
  • More accurately...
    An effective trojan in WINDOWS does not need admin
    rights.

    The *nix security subsystem in every iteration of the *nixes
    requires root for similar installs. Otherwise they're just
    files sitting on the filesystem doing nothing. There is no
    such thing as a self-installing *nix virus.

    Even the last trojan that PCWorld spouted about OS X (a
    BSD Unix iteration) required administrative privileges to
    install. Even your MyDoom scenario would still result in
    something no more dangerous than spyware for that ONE
    user and only when they're logged on and only when they
    activate it.

    All of the worst M$ malware were self-installers and self-
    replicators.
    ZDNet Gravatar
    MKleinpaste
    21st Nov 2008
  • Re: Ahh... Yes it is a Microsoft thing
    because all users have administrator rights

    What?? Are you sure?? All users have USER rights. You grant them Administrator rights or use Run as... to run in administrative mode.

    In Linux you can grant a user root access or use sudo.

    You need some training!!
    ZDNet Gravatar
    Some guy_z
    20th Nov 2008
  • No! In Linux you never grant the user Administrator rights
    Only root has administrator rights, and those rights are never given to the user.

    a user may switch user, within the context of a spectific application, for example Konsole or drakconf (Mandriva) or sudo, to root (Administrator), but the user is never given administrator (root) privilages.

    You need some education.
    ZDNet Gravatar
    tracy anne
    20th Nov 2008
  • If you do that...
    ...then you deserve what you get...

    "In Linux you can grant a user root access or use sudo."
    ZDNet Gravatar
    hasta la Vista, bah-bie
    20th Nov 2008
  • guy_z, that'd be equivilent to..
    ..using Windows.

    =/
    ZDNet Gravatar
    AzuMao
    20th Nov 2008
  • clue_less
    clearly you have no idea what you are talking about.
    ZDNet Gravatar
    wargammer2005
    20th Nov 2008
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here