T-I-double-guh-Er...The unique and fierce Tigger Trojan pounces
A piece of malware known alternately as Syzor and Tigger.A is gaining interest from security researchers thanks to its unusual behavior, and from stock and options-trading firms thanks to targeting customers and employees in that sector.
Tigger takes advantage of a vulnerability in Windows' privilege-escalation fuctionality, a vuln reported in MS08-066 and patched in October. The privilege-escalation exploit allows the malware to override whatever limitations might be on the account. In other words, if you're sensible enough not to run your machine in administrator mode, this malware sidesteps your puny attempt at safe computing. But wait, there's more!
Upon arrival, it cleans house, deleting nearly two dozen other pieces of malware from the system if they're discovered. This is the last nice thing you'll hear about Tigger. Researchers hypothesize that the malware's attempting to make things behave as normally as possible, so as not to draw attention to a machine that's about to experience great hurt.
It installs a rootkit, one that runs in safe mode. The rootkit compromises FAT and NTFS file system drivers, disables kernel debuggers, and blocks other processes from accessing the kernel driver's memory -- in other words, ensuring that rebooting in safe mode will avail you naught.
Tigger then turns its fetid attentions to anti-malware software, disabling many of the most common protections -- products from AVG, Avira, CA, Kaspersky, and Outpost in addition to Windows' own Defender and Firewall options. (Coincidentally, the Conficker virus -- the season's other grand debut -- has taken in recent days to shutting down anti-malware software it finds, according to Symantec.) And now, with the distractions tamped down and the watchdogs shot, it gets busy.
The malware monitors browser events; grabs passwords for IM, email, remote-access, storage and network; sniffs FTP and POP3 authentication information, and steals cookies and certificates. It scoops up screen shots and logs keystrokes just in case you're looking at anything interesting. Then it grabs system information, establishes a backdoor, and attempts to phone home for further instructions.
All this effort for what, exactly? It's believed that Tigger is targeting stock and trading firms, among them Ameritrade, e-Trade, ING Direct, Options XPressScottrade, ShareBuilder, and Vanguard. Go ahead and crack wise about how the market drains your portfolio faster than any thief could these days, but clues in the code make it clear that someone out there was willing to commission a very fancy Trojan to get that data.
Michael Hale Ligh, a security analyst at iDefense who has examined Tigger's guts closely, says that a key code used in the rootkit-installation process bears a strong resemblance to one used by the Srizbi botnet smited back in November. Related? It wouldn't be unthinkable; the Russian-born Srizbi botnet was once responsible for nearly 50% of the world's spam, and one suspects that its keepers would still like to profit from the code by any means necessary.
Ligh's MNIN Security Blog compliments the nasty thing on its sheer creativity -- "one of the most diverse trojans that I've seen," as Ligh puts it. He first tangled with Tigger late last month and has since then been amusing himself with developing a detection method that works without a bootable rescue disk and operates from user mode.