Current Event: The Elusive Tigger.A Trojan

By Erik Turnquist at 8:24 pm on March 5, 2009 | 1 Comment

The Tigger.A trojan was first discovered by iDefense, a security intelligence firm, in November 2008. It has proven to be very difficult to detect and remove from the beginning, which has many security researchers wondering if Tigger.A may actually be a new type of trojan. Since its discovery it has infected more than 250,000 Windows machines which were mainly located at major stock and options trading firms including E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade as well as Scottrade.

Tigger.A exploits a vulnerability, originally patched by Microsoft in October 2008, which allows it to gain administrator privileges. This trojan also removes other pieces of malware located on the user’s system so that the user would be more likely to think that their system is uninfected when it isn’t. Furthermore, the trojan installs a rootkit that loads even when the user boots into Safe Mode.

Investigators at iDefense have also discovered that this trojan might have been built by the operators of the Srizbi botnet. They came to this conclusion because Tigger.A uses to special key to deploy the rootkit on a machine which happened to be almost identical to the domain name generator key used in the botnet.

The trojan was able to easily spread and infect computers because many of the computers had not been patched despite the patch being available for 5 months. Updating and patching systems should be a top priority for financial and trading institutions such as the ones mentioned above. Although many IT departments prefer to wait after an update is released to prevent any unexpected upgrade problems, it seems that in this case they either waited far too long, or simply forgot to patch the machines. Another difficulty with this trojan is that it was not picked up by major anti-virus software. In fact, the article states that it took a month for even a single software package (AntiVir) to detect it despite testing 37 of the most popular scanners. As a result of this, both individual users and IT professionals need to realize that in some cases anti-virus software will not be able to defend their computers against an infection. The article even proposes that, “running Windows under a limited user account is a key step in keeping your system in its safest state, staying up-to-date on patches … is still just as important. I would actually rank anti-virus a distant third protection mechanism.”

Although it doesn’t appear as though data was immediately stolen from the infected computers, there could have easily be a large amount of financial information lost due to the number of computers infected. Users must abandon the mentality that installing patches isn’t necessary because they don’t believe their computer will be infected. Furthermore, installing patches as soon as they are released is crucial.

Via Slashdot: http://it.slashdot.org/article.pl?sid=09/03/03/1951222

Original Article: http://voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html

Filed under: Current Events1 Comment »

1 Comment

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by liaowt

    March 6, 2009 @ 5:34 pm

    We should do security update frequently or turn on the automatic update. I have used compute for more than 10 years. However, I did not have this good practice until last year. Mostly, I click “remind me later” and ignore the update.

RSS feed for comments on this post