The hackers behind the scam running ads on leading online job sites "are injecting their ads with the trojan," said Don Jackson, the SecureWorks researcher who discovered the scheme as well as the original Prg trojan.
"When a user views or clicks on one of the malicious ads, their PC is infected and all the information they are entering into their browser, including financial information being entered before it reaches the SSL protected sites, is being captured and sent off to the hacker's server in Asia Pacific."
He said that information stolen includes names, Social Security numbers, bank and credit card account numbers, online payment account user names and passwords.
SecureWorks discovered the names after developing countermeasures "to detect the network traffic" generated by the Prg trojan on infected systems, Jackson told SCMagazine.com.
"We deployed the [countermeasurers] on clients’ systems, then watched where the network traffic was going and followed it to the server" in Asia, he added.
"This one server is still collecting stolen data and at any one time, we’re seeing 9,000 to 10,000 victims sending information" it, he added.
Jackson said that the ad aggregators who sold the hackers' ads are apparently unaware that the ads contain links to malicious sites.
The malware on the sites uses vulnerabilities in Windows, QuickTime, and ActiveX controls to infect users’ systems with execuables that collect personable information such as passwords.
"Anti-virus software has a hard time finding it because of way the way it hides itself and also because it changes executables so frequently – the hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker," he added.
"Once the anti-virus stops one version, another rolls in and gets through to vulnerabilities the user has not applied patches for."
Because anti-virus software solutions "are not good at catching this, the best way to protect yourself is to patch the operating system and everything else" on the computer," Jackson said.
Computers infected with the Prg trojan will have a back door proxy server listening for connections on port 6081, according to Jackson. "This port is in not assigned to legitimate services and is not hidden by the root kit functionality. If port 6081 is open on your computer, you are likely infected with the Prg trojan," said Jackson.
Victims whose anti-virus is not detecting the infection should boot the computer into Safe Mode and run an anti-virus scan. "If that fails, manual removal or reinstalling the operating system may be necessary," Jackson said.
46,000 job hunters victimised by malicious recruitment ads
By Jim Carr on Aug 17, 2007 10:10AM