New Worm Sniffs for Paypal Information

Jeff Berg
CYBERSPACE – A new worm variant identified last week that targets Microsoft products also includes a new feature rarely seen in worms – it monitors network traffic searching for passwords and Paypal account information, according to network security firm Trend Micro.

Identified Sept. 8, the new variant of the SDBot Worm takes advantage of vulnerabilities in Microsoft operating systems and installs a Trojan horse that potentially allows an attacker to gain access to systems, as well as a network packet sniffer that searches for words like, “login,” “auth,” and “paypal.”

"If the Trojans described by Trend can successfully transmit the filter’s packet captures back to the owner they are going to cause problems well beyond typical bot infestation issues,” said Patrick Nolan of the Internet Storm Center, an organization devoted to analyzing Internet worms.

Designated SDBot.UH or “Bling.exe,” because of the filename under which it spreads itself, the worm employs a variety of transmission mechanisms and allows attackers to connect to infected machines, execute files, delete security logs and even watch users if they have a webcam attached to their computer.

Trend Micro warns that the worm can also perform distributed Denial of Service attacks against random IP addresses and attempts to steal CD authorization keys for computer games.

Network sniffers, usually employed by network administrators to diagnose problems, can also be illicitly installed and used to monitor information that travels through the network.

Rich Miller of British internet services company Netcraft says that although sniffers are notoriously hard to detect because they gather information instead of transmitting it, a few programs exist that can alert users to someone listening in on their electronic transmissions.

Trend Micro notes that the new SDBot variant uses the carnivore network sniffer, originally developed by the FBI to monitor suspects’ email. Trend is also reporting that the amount of computers infected by the new variant is low, but both the damage and distribution potential are high.