The Tigger Trojan: Icky, Sticky Stuff

The Tigger Trojan: Icky, Sticky Stuff

There are 4 comments on the voices.washingtonpost.com story from Mar 12, 2009, titled The Tigger Trojan: Icky, Sticky Stuff . In it, voices.washingtonpost.com reports that:

A relatively unknown data-stealing Trojan horse program that has claimed more than a quarter-million victims in the span of a few months aptly illustrates the sophistication of modern malware and the importance of a multi-layered approach to security. ...

When analysts at Sterling, Va., based security intelligence firm iDefense first spotted the trojan they call "Tigger.A" in November 2008, none of the 37 anti-virus products they tested it against recognized it.

Join the discussion below, or Read more at voices.washingtonpost.com.

SUPERIOR AUSSIE

“Ride Hard Die Free”

Since: May 08

bullet-proof tiger

#1 Mar 13, 2009
What a stupid story. New virus's are made every day.

“Killing range: 1,350m”

Since: Oct 08

your backyard

#2 Mar 13, 2009
yeah but not one that 37 out of 38 leading anti-virus programmes do not pick up. It is like a new strain of flue that no medication can cure. The hackers are usually one step ahead, but this in comparison is further than a country mile and accute in the way it was targeted. Probably more of a worry for us system security nerds than the average joe no doubt.

SUPERIOR AUSSIE

“Ride Hard Die Free”

Since: May 08

bullet-proof tiger

#3 Mar 13, 2009
Well yeah now that I have done some research on it, it does look like a fine bit of work.
This I found interesting:
Before I started scanning the problematic computer, I did some digging on the Internet. Almost immediately, I came across an article titled Why I Enjoyed Tigger/Syzor by Michael Ligh an iDefense security analyst and malware reconstruction expert. Whoa, that’s one bad trojan. According to Ligh, Tigger/Syzor is one of the most sophisticated pieces of malware that exists today:

“The trojan uses a privilege escalation vulnerability (MS08-066), which is almost an exact replica of the public exploit on Milw0rm. It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products in unique ways such as posting malformed messages to windows owned by the daemon processes, sending special byte codes over named pipes, and using the products’ own API.”

Did you notice the reference to MS08-066? That’s what tripped my Google search and caught my attention. Ligh continues to explain:

“It installs a rootkit that runs in safe mode. The rootkit disables kernel debuggers, hooks FAT and NTFS file system drivers, and also prevents other processes from accessing the kernel driver’s memory so tools like GMER and IceSword can’t recover the .sys from RAM.

Tigger of course also injects code into user-mode processes. This component takes screen shots, hooks COM for spying on browser events, and exports passwords (protected storage, network and dial-up, and at least 11 popular chat, email, and remote access applications). It also steals web cookies, steals certificates, and puts the NIC in promiscuous mode to sniff FTP and POP3 passwords.”

Just those abilities make Tigger/Syzor pretty impressive as trojans go. Yet the list goes one. According to ThreatExpert.com , the trojan also logs keystrokes, collects system information, enables a backdoor on compromised computers, finally trying to initiate communications with command and control servers. To learn what domains are being used check out the Malware Domain List Web site

SUPERIOR AUSSIE

“Ride Hard Die Free”

Since: May 08

bullet-proof tiger

#4 Mar 13, 2009
Not bad at all. I wish I had of thought of that.

Tigger/Syzor targets people into stocks

While researching this resourceful piece of malware, I came across an article by Washington Post’s Brian Krebs titled The Tigger Trojan: Icky, Sticky Stuff and immediately noticed that this trojan introduced yet another unique twist. For some reason, Tigger/Syzor is specifically targeting people that work for or are customers of firms that trade stocks and options. According to Krebs, it’s a very short specific list:

“Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.”

My curiosity was greater than my concern of yet another tirade from my friend, so I called and asked if he had dealings with any of the above mentioned firms. Sure enough, he dealt with several of them on a regular basis. So beware if you are associated with any of those institutions

Tell me when this thread is updated:

Subscribe Now Add to my Tracker

Add your comments below

Characters left: 4000

Please note by submitting this form you acknowledge that you have read the Terms of Service and the comment you are posting is in compliance with such terms. Be polite. Inappropriate posts may be removed by the moderator. Send us your feedback.

Sterling Discussions

Title Updated Last By Comments
News Trump is against anyone who does not fit his id... Feb 16 MillikanMilks 12
News Boente, a longtime federal prosecutor, is best ... Jan 31 Captain Yesterday 4
The Snow's coming! Jan '17 BisonInk 2
Review: Avian Medical Ctr - Sayed Masood DVM (Jun '11) Jan '17 Fido 5
Local road construction Dec '16 Carlso0125 2
Apartment for lease transfer (1bd/1bath) Dec '16 Deepreddy 1
News Attorney General: Hate crimes are stain on Amer... Dec '16 Speedieg 1

Sterling Jobs

More from around the web

Personal Finance

Sterling Mortgages