Fresh Trojan Circulating While Capturing Digital Certificates

Security researchers at Internet security company Symantec has cautioned that a fresh Trojan is being disseminated through tax-related e-mail junk that's especially created for capturing digital certificates such as personal key certificates, clipboard data and keystrokes from contaminated PCs.

Identifying the latest malware as 'Infostealer.Nimkey,' Symantec says that it enters computers as files known as report6.com, irs-pdf-f941.irs.com or details.com. An uncommon kind of executable, the .com files have clearly been used as social engineering tactic that takes advantage of people's knowledge of the popular .com domain.

Reportedly, the Trojan attacks files for the PKCS#12 key certificates that's publicly used while the same files include the personal keys too which the hackers require for capturing the related users' digital signatures.

Typically, the infection begins with spam mails having malicious web-links that spread the Trojan. At times there's also one file attachment in these e-mails that has a .com suffix so that although it appears as a link, in reality it's malware deceptively made to run.

So once the Trojan malware is run, a browser screen emerges that leads onto http://www.irs.gov/pub/irs-pdf/f941.pdf (Form 941 for 2010: Employer's QUARTERLY Federal Tax Return) that takes away the Web-surfer's notice off whatever happens behind the screen.

And whilst he (the surfer) attempts at understanding the situation, Infostealer.Nimkey downloads more malware programs. A few of them note the URLS he accesses, while others try to get the files for PKCS#12 certificates. Moreover, a keylogger that's planted monitors keystrokes along with clipboard data. Subsequently, all the stolen material is transmitted onto a remote computer server located inside China.

State the researchers that malware pushers now know that there's a higher possibility of their wares getting loaded once digital certificates endorse them. The latest Stuxnet virus has been associated with just that.

Besides, the researchers advise both administrators and users towards abiding with 'best security practices' i.e. setting complex, hard-to-crack passwords for computer files, turning off AutoPlay so that executable files aren't allowed to get launched automatically on removable drives and networks, detaching drives while nobody is using them, disabling non-essential services, and finally deploying a high quality AV that's regularly updated.

Related article: Fark.com Files Suit against Suspected Hacker from Fox13

» SPAMfighter News - 10/4/2010