Luis Corrons Panda
download slides (PDF)
This is the story about how what seemed to be 'just another trojan' evolved into one of the biggest crimeware cases we have ever seen.
We discovered it on 30 January when we were doing some tests in our Banking Trojans Alert Service. It was targeting different banking companies, mainly from the US and UK. In the following days, several variations of the same trojan appeared. From then on, we managed to find out who was behind these attacks.
First, we noticed different hackers using the same tool to steal data, but that was just the tip of the iceberg: we realized how they were using the infected computers not only to steal that information, but also to offer some 'value added services', such as sending spam and trojans, DDoS attacks, renting anonymous proxies to send spam, as well as different software tools to make hackers' lives easier (to crypt and pack files, to check valid FTP accounts, and scripts in Perl and PHP to send spam).
Secondly, we unmasked the author of the trojan that was for sale in different Russian forums. Not only was the trojan for sale, but also credit cards, passports, databases, etc.