Tuesday, August 21, 2007

Trojan On Monster.com Steals Personal Data

A new Trojan is successfully attacking online recruiting sites and already has accessed data on hundreds of thousands of users, researchers said last Friday.

Researchers from Symantec (nasdaq: SYMC - news - people ) and SecureWorks separately reported finding surprisingly effective penetrations by the new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Website, Monster.com. Other versions of the Trojan, which is a variant of the Prg Trojan, were also found to be attacking other online job sites.

Interestingly, Monster.com and a security business partner, Cyveillance, warned the industry about increasing attacks on recruiting sites less than a month ago. (See Help Wanted: ID Theft Victims.)

The new Trojan, which is usually delivered via phishing messages that Monster.com and Cyveillance warned users about, has allowed attackers to collect as many as 1.6 million pieces of data affecting "several hundred thousand" users on Monster.com alone, according to Symantec. Working independently, SecureWorks last Friday reported finding at least a dozen caches of personal information, totaling about 100,000 identities.

"The Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the [Monster.com] Website and perform searches for resumes of candidates located in certain countries or working in certain fields," Symantec says in its blog. "The Trojan sends HTTP commands to the Monster.com Website to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches."

The personal data is then extracted from the resumes and uploaded to a remote server, Symantec says. The Symantec researchers found all of the 1.6 million pieces of compromised data on a single server, but SecureWorks found at least a dozen smaller caches, so the number of users affected likely is higher than either of the research teams has reported so far.

"Such a large database of highly personal information is a spammer’s dream," Symantec says. "In fact, we found the Trojan can be instructed to send spam email using a mail template downloadable from the command and control server."

The latest exploit is not the first instance of a Trojan attacking Monster.com, Symantec reports. "The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by Trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo. [This is] hardly a coincidence."

"Furthermore, Trojan.Gpcoder.E has reportedly been spammed in Monster.com phishing emails," Symantec says. "These emails were very realistic, containing personal information of the victims. They requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of Trojan.Gpcoder.E.

"This Trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files" Symantec explains. "The code for Gpcoder is rather similar to that of Monstres, which may indicate the same hacker group is behind both Trojans."

The researchers say they have informed Monster.com of the exploits so that the presumably-stolen recruiter accounts can be shut down. In the meantime, they advise users not to put personal information -- such as Social Security numbers -- into their online job postings. Users should not give out this sort of data until they have established that a potential employer is legitimate, they say.


dyutita said...

its true that trogan virus is affecting every website here in our campus due lan connection no. of advanced virus roaming here & there from one laptop to another. Recently in almost all lapis there was a virus i forget its name but affects drastically to all by disabling our TASK MANAGER and run command and this creates a huge mess in our campus...
what u think sir there is any solution to cope up with these cute & highly communicable viruses...
i was nice really nice article dude

Naveen Mohan Shukla said...

First of all thanks for the comment.
If you can tell me exactly what message you are getting and what bad things you are facing with the virus, then i can be able to tell you the solution for that.

Generally such viruses which propagates in the server like monster.com, can be removed by there server only, there is nothing we can do accept uploading our information carefully. I think i have already mentioned in the posting about the security measure which you have to take while uploading the information.

Naveen Mohan Shukla said...

There is a registry hack to enable or disable Windows NT TaskManager. The same registry hack applies to Windows 2000 and Windows XP.

Name: DisableTaskMgr
Value: 1=Enable (this key, that is DISABLE TaskManager)
Value: 0=Disable (this key, that is Don't Disable, Enable TaskManager)

As part of the enhanced management available in Windows 2000 and Windows XP, rather than risking a registry change, as an administrator you can enable or disable Windows 2000 Pro or Windows XP Pro's TaskManager using Group Policy Editor. This can be applied to the local policy. Note: if you are trying to override your organizations group policy, you can't. As soon as you re-authenticate to the domain, the domain or OU Group Policy will rewrite the registry setting. But if the TaskManager was accidently disabled or you need to control this item for a set of standalone boxes this is for you:

* Click Start
* Click Run
* Enter gpedit.msc in the Open box and click OK
* In the Group Policy settings window
o Select User Configuration
o Select Administrative Templates
o Select System
o Select Ctrl+Alt+Delete options
o Select Remove Task Manager
o Double-click the Remove Task Manager option

And as I mentioned above, since the policy is Remove Task Manager, by disabling the policy, you are enabling the Task Manager.

Naveen Mohan Shukla said...

To enable the run command try this.

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f

dyutita said...

thnks for replying and giving such a wonderful information... actually i was waiting for this solution because in most of our campus laptops these problems are prevalent and our administrator is dumb so we personally resolve this problems.

I am ICFAI hyd student pursuing my MBA in marketing+IT........
Manvendra.P.singh (http://dyutita.blogspot.com)

Naveen Mohan Shukla said...

Hi Mr. Manvendra.P.Singh,

It is my pleasure that my tips really helped you out in kicking this virus out of the campus.

Well I am "Naveen Mohan Shukla" and there is no need for you to tell me who you are.

By the way dude nice blog http://dyutita.blogspot.com

It is really very knowledge full.
So how is life in ICFAI..?

vaiybora said...

Hello everybody.
I really like you post.
I would like to share page collection with you!
if you want to play game online casino please click on this post comment.Thank you. http://gctrh.com
gclub online casino
gclub casino online