×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tigger.A Trojan Quietly Steals Stock Traders' Data

kdawson posted more than 5 years ago | from the where-the-money-is dept.

Security 212

**$tarDu$t** recommends a Washington Post Security Fix blog post dissecting the Tigger.A trojan, which has been keeping a low profile while exploiting the MS08-66 vulnerability to steal data quietly from online stock brokerages and their customers. An estimated quarter million victims have been infected. The trojan uses a key code to extract its rootkit on host systems that is almost identical to the key used by the Srizbi botnet. The rootkit loads even in Safe Mode. "Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. ... Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles ... this is most likely done because the in-your-face 'hey, your-computer-is-infected-go-buy-our-software!' type alerts generated by such programs just might ... lead to all invaders getting booted from the host PC."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

212 comments

looks like it may be (5, Funny)

bugs2squash (1132591) | more than 5 years ago | (#27056745)

more effective that the antivirus I use today

Re:looks like it may be (4, Funny)

Anonymous Coward | more than 5 years ago | (#27056973)

And much, much more effective than your English class.

Now what we really need... (5, Interesting)

alvinrod (889928) | more than 5 years ago | (#27056995)

If only there were a similar piece of malware in direct competition with this particular trojan such that both would attempt to remove the other and successfully do so.

It is interesting how malware is adapting so that not only is it able to spread more quickly to a larger number of machines, but also that it's attempting to increase its lifespan by killing off other malware so that the host may not notice that it's infected. I wonder how long it will be until a particular program updates a virus definition list or something similar to remove all other competing malware programs as they come into existence. Also, how much better will the malware be at quickly patching machines against new zero-day exploits than actual virus scanning and prevention software?

Re:Now what we really need... (5, Insightful)

DigitalCrackPipe (626884) | more than 5 years ago | (#27057653)

I wonder how long it will be until a particular program updates a virus definition list or something similar to remove all other competing malware programs as they come into existence
Such a malware product exists... it's called McAfee, and while it's not very good it does convince lots of people to pay money for it.

Re:Now what we really need... (1)

WidgetGuy (1233314) | more than 5 years ago | (#27057773)

Technically, this is not a virus. It's the algorithm we've long suspected underlies the Microsoft Marketing Strategy for World Domination (MMSWD). It leaked out as an attachment to a leaked e-mail from Redmond.

You didn't hear this from me. Just a minute... Someone's at the door. Thud! Ugh!

Re:Now what we really need... (0)

Anonymous Coward | more than 5 years ago | (#27057957)

You talk like it's an evolving creature. This is nothing more than some programmer who decided to add a feature to remove certain other software to keep it living longer, which has happened forever.

Re:looks like it may be (3, Insightful)

amclay (1356377) | more than 5 years ago | (#27057013)

Probably not. Tigger removes adware/spyware, and not all spyware even then. Viruses are different than your typical spyware. There's a whole host of things that are different than spyware that I'm not going to clarify, but don't go around thinking Tigger is some sort of anti-virus because it's not.

Oblig... (5, Funny)

8127972 (73495) | more than 5 years ago | (#27056747)

Does it make your computer bounce up and down on its tail too?

Re:Oblig... (4, Insightful)

cbiltcliffe (186293) | more than 5 years ago | (#27057599)

The wonderful thing about tiggers
Is tiggers are wonderful things!
Their tops are made out of rubber
Their bottoms are made out of springs!
They're bouncy, trouncy, flouncy, pouncy
Fun, fun, fun, fun, fun!
But the most wonderful thing about tiggers is.....
I'm the only one

Re:Oblig... (4, Funny)

Serenissima (1210562) | more than 5 years ago | (#27057731)

But the most wonderful thing about tiggers is.....
I'm the only one


Hmmmmm... considering that it removes a long list of other malware, that's surprisingly accurate.

a quarter million !!! (5, Funny)

bugs2squash (1132591) | more than 5 years ago | (#27056783)

I though the most wonderful thing about Tiggers was that there was only one of them

Re:a quarter million !!! (5, Funny)

girlintraining (1395911) | more than 5 years ago | (#27057007)

I though the most wonderful thing about Tiggers was that there was only one of them

There are many copies. And they have a plan.

Re:a quarter million !!! (2, Funny)

Anonymous Coward | more than 5 years ago | (#27057225)

Their stocks are made out of rubber
Their brokers are made out of springs!
They're bouncy, trouncy, flouncy, pouncy
Fun, fun, fun, fun, fun!

Re:a quarter million !!! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27057311)

Nope! There are way, way too many Niggers around. We'd all be a lot better off with less of those apes.

Every time Obama opens his mouth... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27056787)

the Dow drops another 100 pts. OK, we had our little experiment in "change." Can we please end amateur hour at the White House before all we have left is change?

Re:Every time Obama opens his mouth... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27057041)

Every time the asshole or anyone from his cabinet speaks, the market tanks.

That's Change I can believe in. We must destroy all wealth first before the PrezBO can begin his transition from capitalism to neo-Marxism.

Re:Every time Obama opens his mouth... (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#27057249)

Yeah, we all miss the sound fiscal management of the Bush years ...

Re:Every time Obama opens his mouth... (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#27057287)

You mean the record-low unemployment and explosive economic growth years? The economy only turned sour when the Democrats gained control of Congress and started forcing banks to ease credit restrictions so that people who shouldn't have been able to qualify for a home loan could do so. It's called buying votes.

Re:Every time Obama opens his mouth... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27057825)

You mean the record-low unemployment and explosive economic growth years

Rofl...are you kidding? Explosive economic growth due to unregulated markets balooning into a giant bubble? This is just like putting rocket boots on all the wolves in the forest and then acting surprised when all the deer have been eaten, and now the wolves are somehow starving to death.

I don't know where you got that bullshit about democrats forcing banks to loan to poor people. Banks did this intentionally and voluntarily, because they had bad statistical models that told them housing prices would go up forever, and they marketed bad (likely to foreclose) mortgage products, and they sold mortgages with little or no accurate risk data (ie: realtors/banks were lying about buyer salaries). Congress, let alone a democratic congress, had nothing to do with "forcing" this on banks...

Re:Every time Obama opens his mouth... (1)

Washii (925112) | more than 5 years ago | (#27057905)

Because it took all of 1.5 years for the Democrats to legislate to the banks "give billions upon billions of dollars to people in ill financial health!"

You know, because we wouldn't have heard that being pushed through and soundly destroying the economy in only several months, right?

These sub-prime loans started well before the Y2K bug was due to hit, my friend.

Re:Every time Obama opens his mouth... (1)

slimjim8094 (941042) | more than 5 years ago | (#27058071)

Haha. That's amusing.

A non-idiot would be able to see that this current... dilemma is a lot longer-standing than 3 years. The problem is, banks were getting better at making bad loans and milking them as long as they could.

See the earlier story regarding the formula. It let them do the things that they had been doing, but better (and most importantly, longer).

Took a lot longer than 3 years to bring down an economy.

And, by the way, foreclosures (as a rule) are because of unexpected expenses (medical) or loss of job. Not some BS about forcing lenders' hands.

Re:Every time Obama opens his mouth... (0)

Anonymous Coward | more than 5 years ago | (#27057407)

Did you ever stop to consider that maybe the truth about the Bush years is leaking out and the market is falling as a result of that? You know, like putting the real cost of the Iraq war in the budget and not hiding the cost?

You can blame Obama if you want but if McCain was in there the same thing would be happening. It takes longer than 30 days to fix these problems. Come back in 2 years and let's see where we are. It took nearly 2 terms for Clinton to really fix the problems of the Reagan Era. It took Bush 2 wars and 8 years to bring the country to the brink of depression.

Re:Every time Obama opens his mouth... (0)

Anonymous Coward | more than 5 years ago | (#27057675)

-OR-

Investors, having heard that Obama has the successful in his cross hairs and intends to seize the fruits of their labor and give it to the unsuccessful in the name of fairness, are panicking.

Re:Every time Obama opens his mouth... (3, Insightful)

Dutchmaan (442553) | more than 5 years ago | (#27057813)

-OR-

Investors, having heard that Obama has the successful in his cross hairs and intends to seize the fruits of their labor and give it to the unsuccessful in the name of fairness, are panicking.

Don't you mean the fruits of other people's labor. Last time I checked investors don't actually produce anything.

Re:Every time Obama opens his mouth... (0)

Anonymous Coward | more than 5 years ago | (#27057875)

Oh, I guess they don't produce anything - anything EXCEPT wealth, the ability for people to retire and sustain themselves in relative comfort, and a civilization with the highest standard of living the world has ever known. Take your Marxist crap elsewhere, you ignorant sluggard.

Re:Every time Obama opens his mouth... (0)

Anonymous Coward | more than 5 years ago | (#27058189)

Yeah, they produce wealth, just like the CEO of AnyCorp. actually produces AnyWidgets. They may play a role, an important role, but Mr. CEO wouldn't have crap without a workforce. I say you're right. Let's let all the failing banks and corporations fail. No investment in the working man. But in return the working man will no longer support Mr. CEO in his endeavors. Let's see how well that works you idiot. Don't you get it? The only reason those wealthy are wealthy is because of the worker. Without the middle class Mr. CEO is S.O.L.

Here's the sum total of the knowledge gained... (4, Funny)

Anonymous Coward | more than 5 years ago | (#27056825)

Stocks are going down. Don't buy stock.

Re:Here's the sum total of the knowledge gained... (4, Insightful)

PCM2 (4486) | more than 5 years ago | (#27056881)

Of course not. You should wait until they're at their 10-year peak and then buy them.

Re:Here's the sum total of the knowledge gained... (2, Interesting)

PIBM (588930) | more than 5 years ago | (#27056991)

No, just wait until it tells you it hit rock bottom...

Can that happen ?

Re:Here's the sum total of the knowledge gained... (1)

Camann (1486759) | more than 5 years ago | (#27057175)

If you pay attention carefully, at this point it will start to dig.

Re:Here's the sum total of the knowledge gained... (3, Funny)

Cytotoxic (245301) | more than 5 years ago | (#27057259)

Of course not. You should wait until they're at their 10-year peak and then buy them.

Hey, that's my investment strategy! So far it isn't working out so well, but I'm starting a website "ShortMyPortfolio.com". If past performance is any indication, it should be the best investment advice available at any price.

Re:Here's the sum total of the knowledge gained... (2, Insightful)

zach297 (1426339) | more than 5 years ago | (#27057327)

You can't tell something is peaking until after it goes down.

Re:Here's the sum total of the knowledge gained... (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27057449)

Just like your mom!

Re:Here's the sum total of the knowledge gained... (1)

legirons (809082) | more than 5 years ago | (#27058269)

You can't tell something is peaking until after it goes down.

challenge: predict mid-day

Hmm... (1)

Mysticalfruit (533341) | more than 5 years ago | (#27056843)

So basically somebody needs to take out that whole "stealing your data" part from this worm and re-release it back into the wild and it would be a good thing?

Re:Hmm... (1)

Camann (1486759) | more than 5 years ago | (#27056895)

Other than the fact that it's still illegal and would leave its rootkit on your machine, sure. *famous last words* What could go wrong?

Re:Hmm... (3, Insightful)

SmurfButcher Bob (313810) | more than 5 years ago | (#27057543)

It's only illegal if your name isn't SONY or BMG. If your name IS SONY or BMG, you simply need to deposit two iTunes songs on the machine, and you're held harmless.

Re:Hmm... (4, Interesting)

interiot (50685) | more than 5 years ago | (#27056945)

Benevolent worms are a perennial suggestion in computer security, and the conclusion is always no no no no [schneier.com] .

Re:Hmm... (1)

Devout_IPUite (1284636) | more than 5 years ago | (#27057145)

Benevolent worms would have to be better than malicious ones. I mean, seriously. Benevolent worms might trash someone's life's work, but in that same time it's going to save a few other people's life's work.

Re:Hmm... (2, Interesting)

Abreu (173023) | more than 5 years ago | (#27057663)

"If you must have crime, at least it should be organized crime..."
Attributed to the Patrician of Ankh-Morpork

Re:Hmm... (0)

Anonymous Coward | more than 5 years ago | (#27056961)

I don't do stock trading, Tigger is my favorite antivirus now

Re:Hmm... (1)

Chabo (880571) | more than 5 years ago | (#27057199)

Yeah, but I don't trade stocks, so I'll start using it now. I mean, nuclear secrets look nothing like stock information, right?

Re:Hmm... (3, Funny)

oldspewey (1303305) | more than 5 years ago | (#27057317)

I'm okay with this worm stealing data so long as it put a little more effort into it: you know, it could introduce itself as Prince Leta Matobo living in exile in Ghana, spend some time building up a rapport, and then start making suggestions about making billions of dollars using 100% guaranteed modalities.

This automated stealing of data is just bullshit.

The real question is... (3, Funny)

dov_0 (1438253) | more than 5 years ago | (#27056883)

..does it run on Linux?

Re:The real question is... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27057275)

THere are Trojans in Linux. Just no one has the time to read all the code to find them.

Summary incorrect (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27056915)

The name given in the summary is slightly inaccurate. This criminal, thieving program is actually called the Nigger trojan.

sourcing the problem (2, Informative)

girlintraining (1395911) | more than 5 years ago | (#27056981)

Attacks like this, namely single vector and single target, point to a single person or small number of persons who have found some way of using the data to profit themselves. We're probably looking at someone in their late 20s, based in the United States(cursory examination -- appears the institutions are all english and based in the US), upper middle class, 5-7 years experience programming (self-explanatory), single, male, and with a history of mental health disorders along axis IV, socially under-developed, (the two are usually related, and most white-collar criminals have mental health disorders but are still highly intelligent) and likely recently became unemployed and is trying to maintain his upper-middle class income.

Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure. The differential is the profile above -- find someone who was recently in debt, and is now very much out of debt.

Have fun.

Re:sourcing the problem (5, Funny)

oldspewey (1303305) | more than 5 years ago | (#27057067)

find someone who was recently in debt, and is now very much out of debt

Agreed, let's go after the bailout recipients.

Re:sourcing the problem (2, Interesting)

girlintraining (1395911) | more than 5 years ago | (#27057189)

Agreed, let's go after the bailout recipients.

No. It should be assumed this person has familiarity with those systems, in order to develop the code. Acting alone (highly probable), that means he likely has/had accounts with many if not all of those financial service providers. That grossly limits the number of available suspects. His industry and age also narrow the list even further. That probably leaves perhaps 10k worth of potential suspects in the pool. I'd be guessing, but he probably hopes to convert the stolen accounts stocks to cash, launder it through a third party (paypal perhaps), and then return those assets as stock purchases to avoid taxation, which means you only need the cooperation of a few of those providers and demographic data. Link it with possible terrorism to bypass the usual rules that would prevent a dragnet, and chances are good you find your man. At least, that's how I'd investigate.

Re:sourcing the problem (5, Insightful)

commodoresloat (172735) | more than 5 years ago | (#27057495)

Link it with possible terrorism to bypass the usual rules that would prevent a dragnet, and chances are good you find your man. At least, that's how I'd investigate.

Well then thank goodness you're not investigating. Crap like this is the exact reason many of us were outraged at the Patriot Act and similar legislation; back in 2001-2 we argued that such legislation would become an easy way for investigators to ignore the Constitution for a host of other crimes. There's been plenty of evidence of that happening already, but it's rare to see someone openly advocate such an abuse of law -- usually, in fact, conservatives defended these laws by saying they would never be used against anyone but the most dangerous international terrorists.

Re:sourcing the problem (4, Informative)

NeutronCowboy (896098) | more than 5 years ago | (#27057597)

I was about to post the same exact words. The analysis is completely faulty, based on some incredibly vague and unrelated statistics, and the call to action includes zero verification of those assumptions. Narrowing the US population to the specified profile would probably provide a single hit, but that hit would also almost certainly not be related to the trojan. That's because this is a pure case of garbage in, garbage out.

Re:sourcing the problem (1)

girlintraining (1395911) | more than 5 years ago | (#27057923)

Well then thank goodness you're not investigating. Crap like this is the exact reason many of us were outraged at the Patriot Act and similar legislation; back in 2001-2 we argued that such legislation would become an easy way for investigators to ignore the Constitution for a host of other crimes. There's been plenty of evidence of that happening already, but it's rare to see someone openly advocate such an abuse of law -- usually, in fact, conservatives defended these laws by saying they would never be used against anyone but the most dangerous international terrorists.

The tools are there. You're naive if you think they won't be used. I'm not here to discuss the morality of such actions, and your moral outrage will be confined to a website far from anyone making the decisions, which makes it a political act of utter insignificance. Sorry if this is an unpopular statement to make, but I'm not interested in gaining popularity. Save that for someone who needs to get elected, or win an argument on an obscure electronic forum.

The truth is something that only people of a certain moral flexibility are good at uncovering.

ooh ooh i saw this plot on csi miami (1)

circletimessquare (444983) | more than 5 years ago | (#27057549)

"the one who is making all of the feverish accusations usually is the culprit"

<sunglasses/>

YEAAAAAAHHHHHHH

Re:sourcing the problem (1)

gad_zuki! (70830) | more than 5 years ago | (#27057707)

At least, that's how I'd investigate.

Err thats why youre a semi-anonymous poster on a web board known for its biases and natalie portman jokes and not in law enforcement. Unlike Americans, Russians and Chinese hackers speak and read more than one language. The idea that this must be a white guy in the suburbs who was just laid off is naive. The possibilities are pretty huge. Not to mention the historic arrests for this kind of thing turns out to be non-americans. Anything is possible but if you profiled me, accused me of this, and had me questioned by police, embarassed me, or cost me my reupation because of your CSI-like hunch, well, youd be getting fucked by my lawyer right now.

Re:sourcing the problem (1)

girlintraining (1395911) | more than 5 years ago | (#27058275)

Err thats why youre a semi-anonymous poster on a web board known for its biases and natalie portman jokes and not in law enforcement.

Actually, it's mostly populated by computer geeks, and every group is well-known for its biases, that's how a group defines itself. It's not well known for it's natalie portman jokes--well, I haven't seen any, at any rate, and if there are jokes about that actor, it's purely a community thing, not what slashdot is known for -- which is having a large base of computer geeks and posting on topics that interest them. And geeks (strangely enough!) tend to have interests in all things technical, medical, or just plain complicated. And the smarter and more experienced geeks tend to have interests outside their primary interest about which they are more than merely informed on.

Unlike Americans, Russians and Chinese hackers speak and read more than one language. The idea that this must be a white guy in the suburbs who was just laid off is naive.

Yeah, but how did those hackers learn the internal workings of those financial service providers? And the question is also raised -- why just those providers? They're all US-based, and in english. Are you telling me those are the only financial targets worth hitting? Why not institutions in Europe? All of the providers are in the United States -- that implies a geographical bias. The simplest explanation is because they are geographically or culturally "local" to the attacker(s) -- they are familiar icons. That's a reasonable beginning assumption in any investigation.

The possibilities are pretty huge. Not to mention the historic arrests for this kind of thing turns out to be non-americans.

"this kind of thing"? "Non-americans"? The United States practically pioneered financial fraud, which logically follows since we have the most developed economy in the world, and other countries come here to learn how to structure their financial institutions, not the other way around.

Anything is possible but if you profiled me, accused me of this, and had me questioned by police, embarassed me, or cost me my reupation because of your CSI-like hunch, well, youd be getting fucked by my lawyer right now.

I would say you self-selected off the list -- any programmer worth his salt would have better punctuation and spelling than you. Debugging is such a pain. Also, unless your lawyer is attractive, female, and gay, they would not sexually excite me. :P

Re:sourcing the problem You could investigate (1)

davidsyes (765062) | more than 5 years ago | (#27058145)

with...

VisualAnalytics, too:

http://www.visualanalytics.com/ [visualanalytics.com]

I wouldn't be surprised if THIS is the program that the NY Times(?) reporter "outed", infuriating the Bush.

Only thing is, is I'VE been curiously and with excitment (database freaky) casually observing VisualAnalytics since, oh, about 1999 or maybe 2000. So, if this program is The One, and if the Bush had ANY thing to do with getting that NYT reporter into legal/judicial trouble, then somebody should bitch-slap him and his minions, since VA existed before the Patriot Act was published, much less drafted.

Anyway, that trader or group of tech-savvy traders better watch out, whether or not they knew/know of VA. VA purportedly has tools to do JUST the sort of forensic sniffing of some or many of the activities you posit this guy/group might have engaged in to try to cover their tracks.

Re:sourcing the problem (1)

Mysticalfruit (533341) | more than 5 years ago | (#27057115)

Considering the thousands of highly skilled programmers who are now out of a job and who also probably worked on financial systems and who also have a very detailed understanding of the Win32 subsystems, I'm not surprised.

Re:sourcing the problem (1)

olddotter (638430) | more than 5 years ago | (#27057209)

Yea, because international criminals don't think "I'd like part of that $17 Trillion market in the US. I figure a good bit of online fraud is international organized crime. Is that wrong?

dude (4, Funny)

circletimessquare (444983) | more than 5 years ago | (#27057221)

you just described the entire slashdot demographic

Re:dude (1)

MichaelSmith (789609) | more than 5 years ago | (#27057351)

you just described the entire slashdot demographic

By the time I was 30 I had 15-20 years experience programming, not 5-7. And not everybody works closely enough with financial systems to think to pull this off.

If it were me... (1)

Thelasko (1196535) | more than 5 years ago | (#27057227)

Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively

When you are talking about stocks, laundering the money is easy. Simply buy some options in a particular stock with your own money and have your botnet purchase that stock with other people's money. If your botnet makes the trades quickly enough (it probably will) the stock's price will go up and the value of the options will follow exponentially. Sell the options near the top and reap the rewards.

They will never find this person among all of the trades on Wall Street.

Re:If it were me... (1)

girlintraining (1395911) | more than 5 years ago | (#27057389)

You're making a critical assumption -- that this guy is financially savvy, not just technically savvy. He may understand the value of stocks, but trading stocks and making a profit at it is entirely another set of skills, and he'd need money to blow to learn that skill in the first place... Which begs the question of -- why steal illegally what you can manipulate away from someone legally? There's a threshold of knowledge here -- he knows a lot about technology (the code speaks to this), but the fact that he's targeting only a few financial systems, and the attack is highly specific, tells me he's not very good at statistics. The first thing you learn about financial systems is that they are heavily audited. Criminals hate leaving paper trails, and if there has to be one, they want somebody else's name on it. But the problem is that the criminal has to eliminate the audit trail at some point and then move the money back to himself somehow... Whether it's fenced or not, the fact remains -- how does he get paid for his work?

That money has to come from somewhere, and there's a record of it, somewhere. It may not be practical to find it, and often times investigation is more about guessing what's there than direct evidence that a link exists. It may be a needle in a haystack, but the needle does exist.

Re:sourcing the problem (5, Informative)

johnsonav (1098915) | more than 5 years ago | (#27057241)

Forget tracing back through the network -- find out where the money is going. You have a many-to-one relationship, it's unlikely this guy is smart enough to launder money effectively -- the entire attack scenario points to someone new and inexperienced, and is acting alone hoping this will reduce his risk exposure.

I would imagine the guy who wrote this isn't working alone. Most of these kinds of attacks aren't meant to directly transfer money from the victim's brokerage account to an account controlled by the attacker.

They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.

The hard part about catching the perpetrators is sifting through the list of all the people who sold the stock at the inflated prices. A bunch of people make money from a scam like this, but only one is the criminal.

Re:sourcing the problem (1)

girlintraining (1395911) | more than 5 years ago | (#27057661)

They use the hijacked accounts to purchase large quantities of a low-volume penny stock. The attacker, or the group he works for, already have a large position in that stock. The huge increase in demand pushes the price for the stock up. This causes all kinds of people to sell--including the attacker. And they make a tidy profit, while the victims are left with a large quantity of over-priced stock.

Okay, sounds like your classic pump-and-dump, but let's ignore that for a minute.

Whether he's working alone or in concert with a group of criminals, first. The probability of success is an inverse of the number of people involved in criminal enterprise. That is to say, the more people there are;
(a) the more likely mistakes are made that can expose the individual and/or group,
(b) the more likely for political issues to form within the group that tear it apart (and raising the chance of someone coming forward),
(c) the less profit for each player, and
(d) the more communication is needed between members.
Implicit to this is trust -- whomever each player works with, they have to trust all the other members. For these reasons, it's very likely they met incidentally in real life, built a relationship from this, and there is some paper trail linking them all together. So bust one, you bust them all even if they don't talk -- It's actually advantageous to an investigator to have groups of criminals as opposed to individuals -- because it's easier to play them off each other and the communications between them are far, far, more likely to be over channels which can be monitored. So, in summary -- Groups are good for our team.

Now, that said, let's talk about the pump-and-dump. You are correct that these schemas are difficult by simply viewing trading transactions, because the missing piece of the puzzle is communication between the participating parties, directly or otherwise. But here's the fun part -- we'll find out who the victims are because of fraud reports that will trickle in, and a pattern will emerge telling us what stocks are involved. The many to one relationship means we can eliminate small purchases of the useless stock, and at some point near where the stock price crests, we have a list of who the sellers are. Very likely these won't be short trades either, but trades in quantity -- because it's easier to do it in one go or a couple than a few hundred, and the rate of return is far greater. They will focus their efforts too, because of simple statistics. A quarter million machines are infected, but this worm has a very specific kind of user and application -- so only a small fraction of those machines will actually be useful to the conspirator(s). This necessitates a more focused effort -- fewer trades, at larger amounts.

And that's the crucial flaw -- they have to sell, and yes, several people will sell in the target window of opportunity -- but how many of them will sell who fit the profile of the criminal we're looking for? Not very many. And monitoring their personal finances will give us the tell-tale signs needed to gain a confession.

Re:sourcing the problem (1)

johnsonav (1098915) | more than 5 years ago | (#27057973)

The probability of success is an inverse of the number of people involved in criminal enterprise.

And yet organized crime still exists, in the US and abroad. If this is a pump-and-dump type scheme, it's almost certainly being financed by an organized crime syndicate somewhere. It takes money to make money, in this instance.

You are correct that these schemas are difficult by simply viewing trading transactions, because the missing piece of the puzzle is communication between the participating parties, directly or otherwise.

The only thing the attacker needs from the victim are the login details(username and password) to their brokerage accounts. After that, the criminals can access those accounts from anywhere in the world. Or, they can use the rootkit from the virus to originate those transactions from the victim's own machine.

The many to one relationship means we can eliminate small purchases of the useless stock, and at some point near where the stock price crests, we have a list of who the sellers are.

These stocks may be sold in many countries all around the world. US stocks can be traded on exchanges in Europe and Asia. Even if the victims accounts were used to purchase stock on the US market, the criminals can sell on dozens of different markets around the world. So you have to get lists of sellers from many different exchanges in many different countries. That makes it much harder.

And that's the crucial flaw -- they have to sell, and yes, several people will sell in the target window of opportunity -- but how many of them will sell who fit the profile of the criminal we're looking for?

What profile are you looking for? The sellers could be anyone. And because they could be anywhere, you now need the cooperation of dozens of different governments.

Think about it: The actual criminal mastermind could be a Russian mobster. The seller of the stock--who is working for the Russian--could be in Estonia, using an British broker, and selling these stocks on the German exchange. Where do you start?

Re:sourcing the problem (1)

LoyalOpposition (168041) | more than 5 years ago | (#27057293)

Nice profile, but I was disabused of the reliability of profiles by Lee Boyd Malvo and John Allen Muhammad.

-Loyal

Re:sourcing the problem (1)

AbbyNormal (216235) | more than 5 years ago | (#27057297)

"find someone who was recently in debt, and is now very much out of debt."

  You mean like most US companies that just got bailed out by the government?

  Good luck with that.

Re:sourcing the problem (4, Insightful)

NeutronCowboy (896098) | more than 5 years ago | (#27057419)

Err, no. You might have the most likely demographic right, but that's just because they contain the majority of crackers. As for the debt, it is very unlikely someone in that demographic managed to accumulate a lot of debt.

What I'm pretty sure you got completely wrong is the acting alone part. You do not profit of this kind of targeted scheme by working alone. You either have a taskmaster who requested this info, or you know the people who will be able to profit from this info.

Really, nice try, but I'm pretty sure you have no idea who the crackers really are, and how they operate. I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.

Re:sourcing the problem (3, Interesting)

girlintraining (1395911) | more than 5 years ago | (#27057831)

I don't know em personally either, but I've got enough experience with DSM and psychological profiling to call shenanigans on your assessment.

And yet you don't state your qualifications. Well, here's mine: I have been in information technology for eleven years, have done network and system administration at the enterprise level, and have assisted investigators tracking down so-called "hackers". I also have about four years of programming experience, mostly to support the aforementioned. I also have spent a significant portion of my professional time learning digital forensics, taking apart malware kits, and have friends that do skip-tracing professionally (they track people down, and I know people who do civil and criminal). I have also worked on classified government systems (can't say which, obviously), and busted two people on-site who attempted to access information without authorization on those systems (the men with shotguns came and took them away). I do know what to look for, and I have caught people who thought they were so very much smarter than we were. Repeatedly, and sometimes in the flesh.

You're right, I have no idea who this person or people are. That said, if this guy was working with a herder or someone with access, the vector would have been found by now. It hasn't, which means they're not using an established botnet for deployment. Not only that, but while some of the programmic methods may be similar, that alone shouldn't make an investigator jump to the conclusion the two are in contact with one another. Especially not with the volumes of security research on how these networks operate available to the public. Even slashdot has published links to the aforementioned! All this said, again, you're also right that I don't have a degree in psychology, or criminal profiling, etc. -- I just deal with these people on the front line and I'm going by what my gut and my experience tells me should be there. A real profiler would start with known facts, which I don't have, and have a support team to get definitive answers, which I also don't have. It's still a lot better of an educated guess than most people here could make.

Re:sourcing the problem (0)

Anonymous Coward | more than 5 years ago | (#27057547)

All signs point to recent financial irregularities at credit unions with technology created by the Initech Corporation.

Perhaps if the industry had standardized on the superior products from Intertrode, all of this could have been avoided.

time for 2-factor (3, Insightful)

Lord Ender (156273) | more than 5 years ago | (#27056989)

It is time for online financial institutions (brokerages and banks) to require real 2-factor authentication to log in to their sites. When I sign up for a bank account, I want them to mail me an ATM card with an embedded smartcard chip, along with a cheap USB smartcard reader. Alternatively, send a one-time-passphrase device like SecurID.

This may be a little expensive up front, but it would cut down on enough fraud that it might pay for itself.

Re:time for 2-factor (2, Insightful)

Darkness404 (1287218) | more than 5 years ago | (#27057035)

I want them to mail me an ATM card with an embedded smartcard chip, along with a cheap USB smartcard reader.

Thats just fine, but they most likely won't release drivers for it for anything other than Windows and perhaps OS X, so any BSD, Linux, or other alternate OS user gets left out.

Secondly, it would be trivial for an attacker to put in compromised drivers in the system that reads out all the secure info and forwards it to his website where he can duplicate all the secure keys and such.

Re:time for 2-factor (1)

Lord Ender (156273) | more than 5 years ago | (#27057537)

Secondly, it would be trivial for an attacker to put in compromised drivers in the system that reads out all the secure info and forwards it to his website where he can duplicate all the secure keys and such.

First of all, smartcard reader drivers exist for linux. The aren't complex devices.

Second, you have no idea how smartcards work. The private key never leaves the chip.

Re:time for 2-factor (0)

Anonymous Coward | more than 5 years ago | (#27057405)

I have this, the card reader is not connected to the computer but standalone. I believe this is common practice nowadays, at least in Europe.

Re:time for 2-factor (1)

Inda (580031) | more than 5 years ago | (#27057499)

They're great. Without the reader, the worst someone could do after obtaining passwords, PINs and account numbers, is pay my bills.

Re:time for 2-factor (1)

pz (113803) | more than 5 years ago | (#27057651)

This may be a little expensive up front, but it would cut down on enough fraud that it might pay for itself.

Or have customers pay for their own passphrase-generating device, like PayPal did.

hsbc does this in the usa right now (1)

circletimessquare (444983) | more than 5 years ago | (#27057737)

they give you a little red dongle, and everytime you log in, you have to enter a 6 digit number you read from the dongle's screen after pushing its button

its annoying because i'm always misplacing the dongle

but every time i hear a story like this one, i begin to appreciate the extra effort

and that's really why you don't see more widespread adoption of things like this dongle: people favor convenience over security. i can see plenty of people whining about the dongle and banks worrying about losing customers

of course, one of these days we're going to have an armageddeon-level type identity theft event, and then we'll all be using 3 factor authentication. humanity is lazy and shortsighted until its too late

i don't see why they couldn't make the second factor elective rather than mandatory though, for security minded folks like yourself. it would be a customer relations boon for a small subsection of banking customers. its just a shame that you really only represent a minority interest

Re:time for 2-factor (1)

ACMENEWSLLC (940904) | more than 5 years ago | (#27057759)

My bank offers me the RSA SecurID feature for $20. It also offers me identity theft protection for free, with no deductible.

I have several RSAid's, one per site I use. Why can't I have just one and have RSA the hosted SecurID Management site, like openID?

Malware that removes malware (2, Interesting)

djveer (1179631) | more than 5 years ago | (#27056993)

Interestingly the Tigger trojan actually goes to the trouble of removing other more 'intrusive' malware that Anti-malware products currently detect in order to keep a low profile.
This makes me wonder just how widespread it could be.

And... (2, Funny)

Anonymous Coward | more than 5 years ago | (#27057049)

...nothing of value was lost.

In other news... (1)

kabrakan (13409) | more than 5 years ago | (#27057061)

**$tarDu$t* also recommends David Bowie's Station to Station for a complete botnet soundtrack.

Superb scheme (0)

Anonymous Coward | more than 5 years ago | (#27057179)

Usually police can track botnet owners just by following the money, but in this case there is no money to track.

Version 2.0 (4, Interesting)

russotto (537200) | more than 5 years ago | (#27057193)

Version 2.0 won't just steal data. It'll make trades. Aside from the obvious theft possibilities, the controller would have the ability to create his very own economic meltdown, in any companies he wished, limited only by the size of his botnet...

Re:Version 2.0 (2, Interesting)

mgkimsal2 (200677) | more than 5 years ago | (#27057947)

If it's too blatant ("meltdown") trading will just be halted. Better to be small about it. Buy stock X. Start doing a few hundred buys against a small stock from various PCs, run up the price, sell stock X, keep profit. Not much different than the email scams that try to pump up penny stocks, except in this case rather than just trying to get someone to buy it, you'd just buy it from their account for them.

I've often wondered when viruses would start getting smarter. A virus that simply changed some of your appointments in Outlook's calendar (or emailed recipients stating that a meeting had been cancelled or changed) would cause HUGE amounts of damage. A virus that would just open Excel, change a few numbers, the resave it silently, would, again, do HUGE amounts of damage. It would be very hard to trace this at first, and may have long lasting results. But virus writers seem to want to be so "in your face" about the fact that you're infected (using up all your CPU/network, for example) that people immediately know they have a virus and take steps to remove it.

This little bugger sounds pretty smart, removing other viruses in an attempt to keep the host unaware of any compromise. Good thinking.

Operating Systems List (XP Only) (3, Informative)

solder_fox (1453905) | more than 5 years ago | (#27057217)

It would be nice if they had a list of Antivirus programs that were effective and/or operating systems affected, nice and prominent somewhere linked from the article.

FYI, from the security bulletin:

Affected software:
XP Service Pack 2 & 3
XP Pro x64 and x64 Service Pack 2
Server 2003 Service Packs 1 & 2
Server 2003 x64 and x64 Service Pack 2
Server 2003 with SP1 and SP2 for Itanium

Non-affected:
Win2K SP 4
Vista & Vista SP1
Vista x64&SP1
Server 2008 32
Server 2008 x64
Server 2008 Itanium

Insider Trading (2, Interesting)

locallyunscene (1000523) | more than 5 years ago | (#27057625)

I wonder if how the virus was spread could give clues to "who knows who"? IE: Did all the machines infected at ScottTrade start from a single intrusion, or was there some type of sharing of data between ScottTrade and TD Ameritrade? Not necessarily illicit, but seeing formal and informal alliances.

Re:Insider Trading (1)

Vancorps (746090) | more than 5 years ago | (#27058023)

Of course I also wonder if it has anything to do with the fact that I've been seeing a lot of job postings at the trading firms involved lately.

keep it updated.... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27057733)

All the focus here is on the AV finding the rootkit. Everyone forgets if they would have kept the machine updated, the rootkit or virus would not have been able to infect the machine in the first place. AV is a second layer of defense. MS Window machines should setup to update automatically. MS released the fix for the vulnerability this rootkit took advantage of a month or two before the rootkit was released.

Unethical (2, Funny)

Hognoxious (631665) | more than 5 years ago | (#27058165)

Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles...

Man, that's just unethical. What's the world coming to?
But look on the bright side - even though honour among thieves is gone, at least the banking world lives on.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...