According to Sunbelt, the hub of the operation was a U.S.-based server storing megabytes of data stolen from thousands of infected computers, including passwords for online accounts from eBay and Paypal as well as more than 50 banks and credit card companies.
A Sunbelt representative said she could not release the names of the websites involved but added that the company has contacted the FBI and that the agency has launched an investigation based on the findings.
Sunbelt immediately issued a patch to its CounterSpy software to detect and remove the keylogger, Srv.SSA-Keylogger, a backdoor program that steals data from Internet users when they enter personal information onto HTML forms.
The company also is sharing information with other security software makers.
The program automatically downloaded itself when users visited host sites. It is believed to be a variant of the better-known programs Dumaru and Nibu.
Sunbelt Vice President Eric Sites said that the program is particularly dangerous because it can grab text stored in clipboards as well as in the AutoComplete form-filling feature of Internet Explorer, the most popular web browser.
Such information is invaluable to thieves, Sites said, because it is already sorted and labeled.
“This is about getting money and stealing,” he said.
One bank account whose information was found on the server contained more than $380,000.