ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Fake Windows XP activation trojan goes 2.0

By | November 18, 2008, 7:23pm PST

Summary: Known as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens [...]

Fake Windows XP activation trojanKnown as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

Fake Windows XP activation trojanTheir credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate. Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. Moreover, a bogus “verified by Visa” message that is also requesting social security number and a date of birth makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonating Microsoft.

Fake Windows XP activation trojanThe latest Kardphisher may indeed by filling in all the gaps from the previous version, but the trojan can never scale as efficiently as crimeware “in the middle” does for the time being. Among the main growth factors for the increasing number of such malware remains the fact that throughout the entire year proprietary crimeware kits costing several thousand dollars on average started leaking out, allowing many new entrants to start using what once used to be a highly exclusive tool in the arsenal of the experienced cybercriminal.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Cybercrime, Crimeware, Social Engineering, Windows XP, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
134
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Fake Windows XP activation trojan goes 2.0
birumut Updated - 5th May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Why are you advertising the merits of a trojan?
T1Oracle 19th Nov 2008
This whole blog post reads like an ad, it almost sounds like you're bragging about how improved the latest version of the trojan is.
0 Votes
+ -
Contributr
Re: Why are you advertising the merits of a trojan?
ddanchev 19th Nov 2008
Well, it's indeed improved that's why it goes 2.0, and you're supposed to be aware of how the latest version looks like and what it does, in order to be extra vigilant until the major AV vendors add detection rates for it.

As long as you don't known its real name, but the AV allias, as well as where to obtain it from, you're responsibly informed on the latest developments related to it.
0 Votes
+ -
Or, you can switch to an Open Source OS.
914four 19th Nov 2008
This scheme couldn't work with an OS that doesn't require activation...
0 Votes
+ -
Don't try to turn this into a MS thing
riveroad 19th Nov 2008
This is not a Microsoft thing, it is a social engineering thing. During Windows Activation, you are never asked for any information (although you are asked if you want to REGISTER) and anyone who legally obtained AND activated their own software would know that.

This comes down to the average computer user is just oblivious to things like this and the (Trojan) writer is hoping to catch a few gullible people with it.

The same type of thing could happen to any Mac user or Linux user with a different type of application. It only makes sense to target Windows users based on sheer numbers and that is what the less suspecting individuals use.

Just an FYI, more and more grandma's and grandpa's are getting mac's so you may see this type of thing start appearing on Mac in the future too.
Linux, let's be realistic, unless you live in a community where everyone wears a beanie on top of their head with a propeller on it, they don't use Linux in mass. I use Linux but would never expect my elderly parents or grandparents to use it.
0 Votes
+ -
Ahh... Yes it is a Microsoft thing.
BilboRT 19th Nov 2008
Windows and it's approach to security came from Microsoft DOS. IE Any program can do anything it want to to any device or program on the machine because all users have administrator rights. This can NOT be patched out!! It will require a complete turn around in windows OS/application programming culture. Do you realize how many applications will not run in MS Windows with only user rights?!?! I do.

Linux, MAC OS-X, UNIX were designed with security from the beginning! Users only have user rights! Users are NOT administrators/root! Applications must be written with this in mind.

Yes the Trojan is social engineering, but it would not be allowed to install if the user did not have administrator rights!
0 Votes
+ -
Let's try this yet again
rpmyers1 19th Nov 2008
An effective trojan does NOT need admin rights.

Remember MyDoom? That could easily be written in perl and be portable across all *nix platforms.
0 Votes
+ -
Rofl RUNNING programs is MS problem
mikes2nd 19th Nov 2008
Linux boy got jacked...

Let the open source geek keep his dream.

Yeah running anything on open source is perfectly safe.

the problem is no one uses linux except dorks happy
0 Votes
+ -
Nice reply rpmyers1!
10W1V1 19th Nov 2008
Hah, nice one.
No doubt, an exploit is an exploit. (I used to code perl in the old days)
It is just less likely to exploit open source cuz nobody is using it and not worth the bother for the malware community to write against it, unless they only want to get one or two credit cards.
Oh, wait, there would be no credit cards, there is never any money exchanged in open sourceville!
cudos2u
0 Votes
+ -
That's because Windbloze users...
hasta la Vista, bah-bie 20th Nov 2008
Are too dumb to learn it... They've been programmed by the Gates Borg for too long.

"the problem is no one uses linux except dorks"
0 Votes
+ -
More accurately...
MKleinpaste 21st Nov 2008
An effective trojan in WINDOWS does not need admin
rights.

The *nix security subsystem in every iteration of the *nixes
requires root for similar installs. Otherwise they're just
files sitting on the filesystem doing nothing. There is no
such thing as a self-installing *nix virus.

Even the last trojan that PCWorld spouted about OS X (a
BSD Unix iteration) required administrative privileges to
install. Even your MyDoom scenario would still result in
something no more dangerous than spyware for that ONE
user and only when they're logged on and only when they
activate it.

All of the worst M$ malware were self-installers and self-
replicators.
0 Votes
+ -
Re: Ahh... Yes it is a Microsoft thing
Some guy_z 20th Nov 2008
because all users have administrator rights

What?? Are you sure?? All users have USER rights. You grant them Administrator rights or use Run as... to run in administrative mode.

In Linux you can grant a user root access or use sudo.

You need some training!!
0 Votes
+ -
No! In Linux you never grant the user Administrator rights
tracy anne Updated - 20th Nov 2008
Only root has administrator rights, and those rights are never given to the user.

a user may switch user, within the context of a spectific application, for example Konsole or drakconf (Mandriva) or sudo, to root (Administrator), but the user is never given administrator (root) privilages.

You need some education.
0 Votes
+ -
If you do that...
hasta la Vista, bah-bie 20th Nov 2008
...then you deserve what you get...

"In Linux you can grant a user root access or use sudo."
0 Votes
+ -
guy_z, that'd be equivilent to..
AzuMao 20th Nov 2008
..using Windows.

=/
0 Votes
+ -
clue_less
wargammer2005 20th Nov 2008
clearly you have no idea what you are talking about.
0 Votes
+ -
But this IS a Microsoft thing.
AzuMao 19th Nov 2008
*nix systems don't have anything resembling the raconian activation processes of MIcrosoft, so this social engineering attack would be completely useless on them, REGARDLESS of the technical side (i.e. good luck locking the user out of his own system on *nix).
0 Votes
+ -
Clueless...
agohige 20th Nov 2008
Quote:" Linux, let's be realistic, unless you live in a community where everyone wears a beanie on top of their head with a propeller on it, they don't use Linux in mass."

I have Mexican Field workers using Xandros and Open Office on Asus EeePC's gathering Data. They use to do it writing on paper. They had NO computer experiance other than an old HP200LX.

Anyone can use Linux. And it is harder for them to screw it up. I am slowly shifting the whole company to Linux and Open Office. Bye Bye Microsoft!
0 Votes
+ -
Grandma's & Grandpa's?
tomweeks@... 20th Nov 2008
I am a 66 year-old "grandpa". I have not and probably never will fall victim to any of these schemes, because I am intelligent and knowledgeable enough to exercise a few simple rules of personal data disclosure. I cannot believe that very many other "grandpa's & grandma's" of reasonable intelligence fall victim to such scams. Those of us who are long in the tooth have the distinct advantage of having achieved a bit of wisdom that comes only from years of experience.

The reason "elderly" people appear in news stories about internet scams and schemes is that we are generally mature enough to admit that we have done something stupid, whereas the young "God I'm so savvy I squeak" Turks would rather die than let anyone know they've been had.

Just my $0.02 worth. happy

Tom Weeks
0 Votes
+ -
From Grandma
pokyjo Updated - 27th Nov 2008
Bravo on your great statement! I'm 77 and certainly wise enough AND knowledgeable enough not to fall for these things. I think you're absolutely correct when you say older people are not afraid to admit errors whereas the young don't want to admit it (generally) when they've made a drastic mistake. My sympathy goes out to those who seem to believe old age brings stupidity.

Jody
0 Votes
+ -
Too True
rm.squires@... 4th Dec 2008
My granddad uses his computer purely for checking a few things on the web and the occasional printing. He may be unsure of what some things mean when XP throws up the odd error message, but he doesn't want to know the technics (like most users of comptuers in general).

But overall, most young people are less tech savvy than older people, mainly due to experience. For example, people who have watched IT develop and take over our lives, treat it with the respect it deserves. Young people take it for granted and are often arrogance with security.

This I have seen to be true, correct me if i'm wrong.
0 Votes
+ -
Yeah right
10W1V1 19th Nov 2008
If they fall for a fake xp or vista splash, who's to say they would not fall for an open source msg as well.
geeze... oh, that's right, maybe you would be too busy trying to get all of your applications to work to notice the splash..
0 Votes
+ -
You CAN'T be that dense
Dr. John 19th Nov 2008
Social engineering. It's platform independent. It would be as simple as having a pop-up with a statement something like:

"In a decision rendered in IP Networkz, Inc. v. OSS Linux, et al, it was determined that current and past implementations of the Linux operating system violates patents held by IP Networkz, Inc., which allows IP Networkz, Inc. to collect damages and/or royalties from vendors and/or end users of said infringing operating systems."

"Under the conditions of this ruling, you must purchase a license to continue using these technologies (pay a reasonable royalty fee), or immediately remove this operating system from your computer."

"Failure to do so will result in your intentional infringement on patents held by IP Networkz, Inc., which, if convicted, could result in a fine of up to $250,000.00, per instance."

etc...
0 Votes
+ -
Except with a bit of common sense. . .
Computer_User_1024 19th Nov 2008
Anyone who is mindful of security would before responding to such a prompt investigate who "IP Networkz, Inc." was and if they were truly a legitimate organization or not. I have seen messages come into my inbox in the past claiming to be from my banking institution with a URL to click to keep my account validated, but on examining the url that the message had included it was painfully evident that it was fraudulent, I do not trust any link from organization.notsameorganization.org, .com, .net, etc. I also tend to scrutinize the URLs in the headers of emails which I receive to see if they match where they claim to be coming from and even possibly check the originating ip addresses to see what network they come from. In the case of the fraudulent banking email I immediately called my bank and asked them in person about the email and where to report fraudsters to and thus forwarded the email complete with full header information to the fraud report email at the bank. I might even go as far as to forward such information to the FBI.gov email address if I knew what the exact address to send to.

Furthermore on this particular email that I had received, the link that they sent the user to was asking for such information as your mothers maiden name, your birth date, your Social Security Number, your place of birth, your pets name, etc. It was obviously a phishing site from the depth of information they were trying to collect... It just takes a little common sense to see this.

A good search of arin.net will tell you what network a IP address belongs to and from there you can report abuse to their ISP if you so choose. Just enter the ip address into the search box on their page and you will get the needed information.
0 Votes
+ -
and your point is......
sjbinaz Updated - 19th Nov 2008
You are not a victim or target, so what, it still exists.
0 Votes
+ -
I'm happy for you
Dr. John 20th Nov 2008
I'm happy for you. You have a basic sense of security. What you don't seem to have is an understanding of how this thing works, or the technical knowledge and expertise of the average home user.

This is a stand-alone trojan. Everything about it is different than what you're describing. Do a little research, then rethink your position.
0 Votes
+ -
Why do you bother
AzuMao 20th Nov 2008
Trying to enlighten people on ZDNet?

Just curious.
0 Votes
+ -
But first
tracy anne Updated - 20th Nov 2008
You need to get that virus/trojan/application to run on the Linux box. How are you going to do that?

On Windows it's trivially easy. All it takes is the use of an ActiveX vulnerability while the user is surfing to a compromised website, to have a zeroday exploit occur, which installs the trojan, which then activates the next time the user restarts their Windows computer.

But how are you going to do this on a Linux box. you can't install software unless you are operating within a context that allows root privilages (the package manager, for example, or the console within an SU session, or an sudo session). So how are you going to get the trojan to download and install on a Linux box?
0 Votes
+ -
Ahh... Yes it is a Microsoft thing.
BilboRT 20th Nov 2008
tracy anne statement is very clear.

Don't dismiss me as a zealot, I am not. I have over 20 years experience working in the industry with UNIX and Microsoft products!

I still work with both OS's. I am VERY ANGRY that I get two MS Windows machines a week infected with malware all because MS Windows users are given Administrator rights by default.

Additionally many programs are written to run only with Administrator rights. Until this changes, MS Windows machines will be vulnerable!
0 Votes
+ -
Can't argue with that.
Dr. John 20th Nov 2008
However, as I said previously, it's not just a Windoze thing. It can happen to any OS. That's the beauty and terror of social engineering.
0 Votes
+ -
You're in denial, Dr. John
hasta la Vista, bah-bie 21st Nov 2008
You just said (in your own words) you can't argue with that, then you turn around and start arguing with that.

Is it "pride & ego" thing or what...
0 Votes
+ -
Note to b8375629
Dr. John 24th Nov 2008
Speaking of dense...you're there!

I didn't argue it. I enhanced it.
0 Votes
+ -
Can't argue with Dr. John
AzuMao 25th Nov 2008
Everything he says is wrong.
0 Votes
+ -
Sounds like the 'good' Doctor's ego...
hasta la Vista, bah-bie 26th Nov 2008
...has been severely tested. I wonder who gave him his medical license?

LOL... grin
0 Votes
+ -
Hack-proof servers?
Dr. John 20th Nov 2008
You obviously don't keep up with events. How many servers and websites have been hacked in the last few months? How difficult would it be for a time bomb payload to be added to a legit piece of software downloaded and installed by the user or administrator, or the update manager for that matter? You install it, then after x number of days, or on an appointed date and time, up bangs the "pay me now" window - a window that perhaps, given the correct access during install, all but locks you out of your system until you've done something with it?

Linux is NOT immune, regardless of how much you'd like to think it is. The people writing these exploits and hacking these servers are among the brightest coders in the world.
0 Votes
+ -
I never said Linux is immune.
tracy anne 21st Nov 2008
I said it is inherently secure. Any security can be broken, it just takes effort, on the part of the person with root access, on a Linux machine, break that security.

Many Linux servers get broken into, invariably it is because the person with root privileges, used weak passwords.

How many repositories have been broken into in the entire time I've been using Linux (8 years), none. That includes the recent Red Hat scare. The repositories were never compromised, even though the security on less sensitive areas were breached. Red Hat's response was to immediately issue public warning notices to all clients, and purge the repositories.

quote::Linux is NOT immune, regardless of how much you'd like to think it is. The people writing these exploits and hacking these servers are among the brightest coders in the world.

And regardless of the fact that they have full access to the Linux source code, none of them has managed to develop a successful virus for Linux.

The problem with these prognostications about the vulnerability of Linux, coming from Windows users, is that they fail to understand the nature of the beast. They continually equate Linux security and development methods with Windows security and development methods, and therein lies the reason why they get it wrong. A conclusion based on an invalid assumption will invariably be wrong.
0 Votes
+ -
Re: tracy anne
AzuMao 21st Nov 2008
You're wrong as usual.


This isn't an imperfection in *nix systems.

Yes, giving out your password (either by actually giving it out, or making it very weak) will give
access to whoever got your password.

This is NOT a flaw. It's supposed to be that way.
Don't blame the OS for user error.
0 Votes
+ -
The same way you do on Windows.
Bozzer 22nd Nov 2008
By convincing the user to click on it. You do know the actual meaning of the word trojan and what it represents don't you?

It doesn't matter what platform you use if you can fool a user into running a program.

You can put seatbelts and airbags in a car, you can reinforce its chassis, you can put warning sensors and satnav and everything else into it. Whilst it may make the driver safer, it doesn't make their driving any safer.

The weak spot of any operating system is the user. The only truly safe system would be one that doesn't allow the user to run ANY programs, but then what would be the point in that.
0 Votes
+ -
But on Windows
AzuMao 22nd Nov 2008
You take advantage of the user being used to
outrageously draconian activation schemes, and total
trust and acceptance in what prompts tell them they
can and can not do.

There is no *nix equivalent to this vulnerability.
0 Votes
+ -
Relax Bozzer
Dr. John 24th Nov 2008
There are some that simply don't understand social engineering, or the concept of the lowest common denominator.

Let's see if we can help them out...

The average user is an idiot!

Got it now, folks?
0 Votes
+ -
Not an advertisement, A PSA
Flying Pig Updated - 19th Nov 2008
Advertisements are paid for. Public Service Announcements can have the look and feel of an advertisement but are presented for free. They are done as a ?ahem? public service.



Further, I don't get the impression of bragging, but the author does come across as being impressed. As am I. Whoever designed it went to great lengths to get it to look very official. Proof that you should never underestimate the criminal mind.



The article does a good job of just how official this threat can appear to an unsuspecting user. I would not fall for it, but I personally know some people who would. You probably do too. I plan to send a link to this article along to my friends and family members I think might be gullible enough. Maybe you should too...as a public service.
0 Votes
+ -
I agree
B.Beck 19th Nov 2008
I never got the impression that the author was trying to support the threat, just the idea that the trojan was impressive, which makes it even more dangerous. The whole purpose of this column is to keep us informed and updated on existing and new threats to security.

B. BEck
0 Votes
+ -
Contributr
Re: I agree
ddanchev 19th Nov 2008
Exactly. Anyway, profiling a threat has nothing to do with advertising it.
0 Votes
+ -
Thank you.
Computer_User_1024 19th Nov 2008
Thank you for the heads up that criminals are doing this. Being informed is important.
0 Votes
+ -
Nobody cares that criminals are doing this
AzuMao 20th Nov 2008
What matters, is what it looks like, and that if you
encounter it don't give it your real info no matter
what.
0 Votes
+ -
That's exactly the point!
lagosv@... 19th Nov 2008
By highlighting the trojan improvements, users will be more alert to a possible attack.
0 Votes
+ -
RE: Fake Windows XP activation trojan goes 2.0
dparsons@... 19th Nov 2008
Anyone who is DUMB enough to put a SSN in an OS system activation deserves to be pirated.
0 Votes
+ -
I do not agree...
Computer_User_1024 19th Nov 2008
I don't think anyone deserves to have their personal information stolen and there are unfortunately there are some quite gullible individuals out there, who do not know better.
0 Votes
+ -
Committed to your "piracy"
pkmartin82 Updated - 19th Nov 2008
That's really cute. Check the description vs. the URL. Peeps should read closer.
0 Votes
+ -
haha
midenginedrift 19th Nov 2008
Yeah that was funny. What's also funny is that it leads to a real site about piracy, not privacy, even though they're related.
0 Votes
+ -
RE: Fake Windows XP activation trojan goes 2.0
Red Elk 19th Nov 2008
Capital punsihment! What cha think?
0 Votes
+ -
RE: Fake Windows XP activation trojan goes 2.0
birumut Updated - 5th May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix