A credit-card-stealing trojan is being sold on a Russian cyber crime market that one expert says uses a peer-to-peer network that's safer than Tor.
The i2Ninja trojan infected systems via drive-by infection, fake advertisements and bogus links, but had not been discovered in the wild.
It takes its name from I2P, a layer of networking similar to Tor that uses cryptography to provide secure communications.
Trusteer fraud prevention manager Etay Maor said I2P is a “true Darknet” that offers better protection than Tor, and explained how the added security layer makes it more difficult to research and understand the malware's infrastructure and capabilities.
"While the malware offers different HTML injection capabilities [targeting poker sites and grabbing email], it will also soon offer a virtual network computing (VNC) module just like all other major malware families,” Maor said, using trojan variants such as Zeus, Citadel and SpyEye as examples.
“Once a VNC capable malware infects a device, the attacker's options are almost limitless.”
However, Maor said he still thinks it is only a matter of time before the I2P encryption is broken – similar to how the FBI made a big arrest on Tor in August by exploiting a Firefox vulnerability – and added that the attackers using i2Ninja likely understand this, as well.
It is unclear just how much of a threat i2Ninja represents right now, Maor said, but the malware seems to be in high demand.
“The cyber criminal offering the malware in the underground indicated he has enough business due to the malware's underground publicity and indicated he cannot handle more requests to buy the malware,” Maor said. “The cyber criminal who posted the information regarding i2Ninja is a known and credible forum member.”