Keylogger Steals Passwords From IE

The keylogger behind a major identity theft ring is especially invasive, said an anti-spyware vendor Thursday as it prepared to roll out a free detection and deletion tool. Last week, Florida security company Sunbelt Software said one of its researchers had stumbled on a server that held a file containing a large number of usernames, passwords, telephone numbers, credit card and bank account numbers, and other personal information.

All the information, Sunbelt now says, was gathered with a new, potentially damaging keylogger, a small program which secretly steals information.
The keylogger behind a major identity theft ring is especially invasive, said an anti-spyware vendor Thursday as it prepared to roll out a free detection and deletion tool.

The keylogger, which has been dubbed Srv.SSA-KeyLogger, filches data from users' Internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use HTML-based forms to collect information. Intuit's Quicken, for instance, often relies on a Web-based interface to download a user's account statement to the personal finance software's database.

Related to the Dumador/Nibu family of Trojans, this keylogger is especially malevolent, said Eric Sites, the vice president of research and development at Sunbelt. "It doesn't sit and wait around for a password to be typed in," he said, a trait of most keyloggers. "Instead, it steals data from Internet Explorer's Protected Storage area."

Protected Storage is actually a set of registry keys used to store memorized usernames and passwords. When the AutoComplete feature of Internet Explorer is enabled (as it is by default), the Microsoft browser automatically remembers usernames and passwords entered in forms, and records them in Protected Storage. Although the data there is encrypted, simple utilities can easily decrypt the information.

This keylogger also hijacks anything in the Windows clipboard, turns off the Windows firewall (as well as some third-party firewalls), and because it runs as a disguised Internet Explorer thread, is generally undetectable by any firewall it doesn't disable. Sunbelt said it has been sharing its information with other security vendors.

"When we first discovered this, only Kaspersky Labs had a signature to detect the keylogger," said Sites. "Since then, though, almost all the major anti-virus vendors have released signatures."

Sunbelt still plans to publish a free detection and deletion tool later Thursday, said Sites. The tool will be posted on the front page of the company's Web site as soon as it wends its way out of testing.

Until then, Sunbelt recommended that IE users worried about Srv.SSA-KeyLogger should disable IE's AutoComplete. To turn off AutoComplete in IE, select Internet Options under the Tools menu, click the Content tab, then the AutoComplete button. Clear the box marked "User names and passwords on forms," then click OK in that dialog and the next.

Other browsers, such as Mozilla's Firefox, do not use Protected Storage to record memorized passwords and usernames, and so are safer against the new keylogger.