Haxdoor Trojan claims thousands of UK victims

Metropolitan Police have revealed that the Trojan responsible for infecting thousands of users is Haxdoor, a particularly 'nasty' piece of malware. The FBI is working with the Met to catch the offenders
Written by Tom Espiner, Contributor

The Metropolitan Police have revealed that cybercriminals used a particularly malicious piece of malware called the Haxdoor Trojan to steal data from thousands of UK users.

Over 2,300 people have been infected with a variant of Haxdoor, which installs a backdoor, keylogger and rootkit on infected machines, to harvest private information undetected.

As first reported on ZDNet UK on Tuesday, this personal information has been found on a server in the US. The Met said on Wednesday that it is involved in a joint operation with the FBI.

"It's a diverse range of data that's been stolen," said detective chief inspector Charlie McMurdie, the officer in charge of the investigation. "Primarily passwords and details of financial transactions, but not purely banking data."

McMurdie told ZDNet UK that it was too early to say whether it was an individual or a group that was responsible for stealing the data, but said that most offences of this kind were perpetrated by organised criminal gangs.

"We're working in a global arena with other law enforcement agencies, but that doesn't necessarily mean the suspects are outside the UK," said McMurdie. "We're currently working with the FBI, as the data was being stored on the server in the US."

The Met is having difficulty contacting users they believe may be infected. They sent out an unsolicited email to alert potential victims, but most of them are ignoring the email.

"We've had a limited response [from the emails]," said McMurdie. "It's a recurring problem — when we take on an investigation, the main method of contacting thousands of victims is via email. Everybody's suspicious — they believe it's a scam."

The Met is seeking to reassure people that the email they sent out is genuine. The email contains contact details for officers involved in the operation. The Met will not ask for data or banking details, and security validation is already contained in the email. If people are in doubt, they should telephone the New Scotland Yard switchboard, or contact their local police force.

Machines infected with Haxdoor will still be transmitting information, but no longer to the criminals responsible. The data that was transmitted to the US server has been recovered, and the server taken offline. The Met would not comment on what was now happening to the data being transmitted currently, and whether its continued transmission was being used in the operation.

"We've notified the US authorities [about the transmission] and taken appropriate investigative steps, coupled with risk assessment," said an officer involved in the investigation.

The Met declined to say which variant of the Trojan has infected the UK users, but according to antivirus company F-Secure it is Haxdoor.AL, which is normally propagated through infected email attachments.

"It's a nasty case," said Mikko Hypponen, director of antivirus research at F-Secure.

Once the Trojan is installed, it hides itself using a rootkit, making it difficult to detect. A keylogger makes a record of all keystrokes, and that data is then sent to a central server.

"Anything you type gets archived," Hypponen told ZDNet UK. "Bank pin codes, passwords, search terms. Then the guys who collect the data sift the huge logs." The data is then sold on the black market, according to Hypponen.

Passwords and log-in information are specifically collected by prioritising data strings containing certain keywords, such as the names of banks.

The Met declined to comment on which banks' and ISPs' customers had been affected by the Haxdoor variant under investigation. However, one variant intercepted by F-Secure contained references to HSBC, Halifax Building Society, and Barclays.

The Haxdoor Trojan is sold as a commercial product by a Russian hacker who calls himself "Corpse", according to F-Secure. Haxdoor toolkits retail for approximately $2,000 (£1,077) on the black market, and can be used by people to build their own Haxdoor variants.

As this product is available so easily, the Haxdoor may have more victims than those in the UK, according to F-Secure.

"The total count could be much higher," said Hypponen. "Other people have bought licences for Haxdoor toolkits — this is just one case among hundreds. There was a large amount of [Haxdoor] spam sent to German people last month, disguised as bills. The hackers' imagination is the only limit using the tool transmission method."

Editorial standards