Phishing Worm Installs Trojan Without Trickery

The threat posed by phishing has racheted up a notch with the Korgo worm, which auto-infects unpatched Windows systems with a keylogging trojan, steals online banking information, and secretly transmits data back to the fraudsters.

The worm represents an alarming advance in phishing, as it forgoes the need to trick the end user into divulging details. Phishing trojans that monitor keystrokes are not new, but to date have required some form of response to an e-mail "bait." Korgo uses the LSASS vulnerability to auto-infect Windows systems that haven't applied the MS04-11 patch issued April 11.

Korgo's phishing activities were documented by F-Secure, which reports that the associated trojan is aggressively stealing user information from infected machines. "It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords)," writes F-Secure's Mikko Hypponen. "It also logs everything the user types to any web form - this will collect lots of credit card numbers, passwords etc."

That information is sent to one of 11 geographically distributed Internet Relay Chat (IRC) servers, including eight different servers on the Undernet IRC network, which claims to have 45 servers in 35 countries.

The emergence of phishing worms presents yet another reason for Windows users to be vigilant about patching their systems. Korgo's victims, whose machines remained unsecured more than 45 days after a fix became available, ignored persistent calls to install patches. Only the security laggards were victimized this time. But as with any malware proof-of-concept, the attack agent is apt to arrive more quickly the next time an opportunity arises.