The Tigger Trojan: Icky, Sticky Stuff

A relatively unknown data-stealing Trojan horse program that has claimed more than a quarter-million victims in the span of a few months aptly illustrates the sophistication of modern malware and the importance of a multi-layered approach to security.

When analysts at Sterling, Va., based security intelligence firm iDefense first spotted the trojan they call "Tigger.A" in November 2008, none of the 37 anti-virus products they tested it against recognized it. A month later, only one - AntiVir - detected it.

That virtual invisibility cloak, combined with a host of tricks designed to elude forensic malware examiners, allowed Tigger to quietly infect more than 250,000 Microsoft Windows systems, according to iDefense's read of log files recovered from one of the Web servers Tigger uses to download code.

iDefense analyst Michael Ligh found that Tigger appears designed to target mainly customers or employees of stock and options trading firms. Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.

iDefense said the Trojan is the first known malware to exploit a specific vulnerability Microsoft patched in mid-October 2008. That flaw is what's known as a "privilege escalation" vulnerability, in that it cannot be exploited remotely, and merely allows the attacker to gain access to the almighty "administrator" account in Windows.

That means that even if the user is running the system as I so often advise - under a limited user account that does not have permission to make changes deep within the operating system -- the presence of this unpatched vulnerability on a Windows system would let this invader override that protection.

While running Windows under a limited user account is a key step in keeping your system in its safest state, staying up-to-date on patches -- both fixes for the operating system and third-party software -- is still just as important. I would actually rank anti-virus a distant third protection mechanism, given how poorly most anti-virus tools seem to be faring against the latest malware families.

Read on after the jump for other "fun-fun-fun-fun-fun" facts about the "T-I-Double-Guh-Er" Trojan that hint at its motives and perhaps origin.

Update, Feb. 25, 5:00 p.m. ET: Byron Acohido, the Pulitzer Prize-winning cyber security reporter for USA Today, has published a fascinating yarn about the underground market for customized banking Trojans that is worth a read.

Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles. iDefense analysts say this is most likely done because the in-your-face "hey, your-computer-is-infected-go-buy-our-software!" type alerts generated by such programs just might tip off the victim that something is wrong with his system, and potentially lead to all invaders getting booted from the host PC.

According to iDefense, it also installs a "rootkit" on the infected system that loads even when the system is started up in "Safe Mode," the Windows diagnostic boot sequence that is supposed to disable non-essential Windows components to make troubleshooting system problems easier. A rootkit is a set of tools designed to allow malware authors to better hide their creations in host systems so that they are extremely stealthy and difficult to remove.

Finally, iDefense's Ligh said one aspect of this new Trojan suggests the authors behind the Srizbi botnet may have had a hand in developing or distributing it. As a result of the shutdown of hosting provider McColo in November 2008, the Srizbi botnet -- at the time responsible for sending more than 40 percent of the world's spam -- was cut off from the servers its masters used to control it. But Srizbi had a built-in mechanism to resurrect itself: it told all infected systems to seek out a rotating set of new domain names every few days, names that the bad guys could (and did) use to regain control over the botnet.

According to iDefense, Tigger uses a special key code to extract its rootkit on host systems, a lengthy key that is almost identical to the key used by the domain name generation feature built into the Srizbi botnet.

While the nearly matching keys may be nothing more than a coincidence, it is unusual to find data-stealing Trojans that remove other malicious software, Ligh said. Rather, such features are far more commonly found in bot programs typically used to turn systems into spam relays, such as the Srizbi botnet.

"The scary part is, none of us are really sure how Tigger is even being distributed," Ligh said. "I look at a lot at info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware."