UK Business Blitzed by More Than 3 Million Password-Stealing Trojans
More than 3.2 million emails containing a new Password Stealer were sent to UK businesses over the weekend according to on-demand security services company, BlackSpider Technologies.
The virus caught the anti-virus community cold and enjoyed a window of exposure the time between the malware being released and an anti-virus vendor issuing a patch of more than 52 hours, and when measure in these terms is by far most successful zero-day virus witnessed by BlackSpider in the past 12 months.
The Trojan was first seen at 4:55am on Saturday morning (25 February) and increased in volume throughout Sunday (26 February). It was finally patched by the first anti-virus vendor, Symantec, at 9.55am (27 February), and was named PWSteal.Tarno.S.
The subject line of the virus is: Notification: Your Account Temporally Limited
The body of the text reads:
Dear PayPal customer!
As part of our security measures, we regularly screen activity in the PayPal system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason:
We recently received a report of credit card use associated with this account. As a precaution, w have limited access to your PayPal account in order to protect against future unauthorized transactions.You can check your transaction details in attachment.
Case ID Number: RR-0922-014
If, after reviewing your transaction information, you seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us".
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
PayPal Account Review Department
PayPal Email ID RR-0922
The attachment is an FSG packed executable called RR-0922-014.exe and is 5492 bytes.
James Kay, CTO, BlackSpider Technologies, comments: The hacker behind this virus has done a real number on the AV community. The virus was spammed out and we have seen it in enormous numbers. It was hardly a discrete attack so Im at a loss as to why it took an AV vendor so long to take action. Im sure the hacker cant believe his/her luck a virus that went out early Saturday was still unpatched two days later.