Security

Tigger.A: Sophisticated trojan that likes stockbrokers

Customers and employees of firms that trade stocks and options beware, the Tigger.A trojan is targeting you. Michael Kassner tells you how and why.

Lately, I've been spending an inordinate amount of time fighting malware. My latest adventure started when a friend called me last Friday complaining that his computer was acting weird (his words). After a few questions, I sighed as the computer had all the signs of having caught something.

Normally this isn't a big deal. I have a spare notebook that I let people use while I'm working on their computer and my friend was counting on that. His stress level went up considerably once I told him that the spare was already loaned out. It seemed like only seconds later that my friend dropped off the computer and said please help.

To explain, my friend makes his living as a day trader (even in these tough times) and he needed his computer by early Sunday evening for the Far East stock markets. After his ranting subsided, I couldn't resist mentioning about all the times I reminded him that he needed to have a spare computer just for situations like this. I'm not going to repeat what he said.

Curiosity prevented an immediate rebuild

I normally consider this type of problem an immediate rebuild, but I wasn't looking forward to that as I'd forgotten to image his computer when I originally set it up. That hesitation coupled with the fact that I wasn't super busy, (don't tell my friend that) allowed my curiosity to get the best of me. I really wanted to find out what was causing the problem, simply because I setup his computer identical to mine. I also know he religiously keeps his computer up to date. So this shouldn't have happened, as he told me repeatedly.

Thankfully, I didn't have to worry about data as my friend keeps all of his files on secure flash drives. So, I started investigating, at least as much as I could. The computer was indeed acting flaky. One thing that I look at first is the list of Microsoft updates that are installed on the computer.

I use Windows explorer to drill down to C:\Windows and all the updates are listed there. As I compared what was visible on my friend's computer to a known good list I noticed that $NtUninstallKB956803$ was missing. Hmmm. That update refers to MS08-066. I wonder why that didn't get installed during the Windows Update cycle. Could that be the chink in the armor? The above slide shows what is supposed to be there:

Malware named Tigger, how dare they

Before I started scanning the problematic computer, I did some digging on the Internet. Almost immediately, I came across an article titled Why I Enjoyed Tigger/Syzor by Michael Ligh an iDefense security analyst and malware reconstruction expert. Whoa, that's one bad trojan. According to Ligh, Tigger/Syzor is one of the most sophisticated pieces of malware that exists today:

"The trojan uses a privilege escalation vulnerability (MS08-066), which is almost an exact replica of the public exploit on Milw0rm. It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products in unique ways such as posting malformed messages to windows owned by the daemon processes, sending special byte codes over named pipes, and using the products' own API."

Did you notice the reference to MS08-066? That's what tripped my Google search and caught my attention. Ligh continues to explain:

"It installs a rootkit that runs in safe mode. The rootkit disables kernel debuggers, hooks FAT and NTFS file system drivers, and also prevents other processes from accessing the kernel driver's memory so tools like GMER and IceSword can't recover the .sys from RAM.

Tigger of course also injects code into user-mode processes. This component takes screen shots, hooks COM for spying on browser events, and exports passwords (protected storage, network and dial-up, and at least 11 popular chat, email, and remote access applications). It also steals web cookies, steals certificates, and puts the NIC in promiscuous mode to sniff FTP and POP3 passwords."

Just those abilities make Tigger/Syzor pretty impressive as trojans go. Yet the list goes one. According to ThreatExpert.com, the trojan also logs keystrokes, collects system information, enables a backdoor on compromised computers, finally trying to initiate communications with command and control servers. To learn what domains are being used check out the Malware Domain List Web site.

Tigger/Syzor tries to do some good

In what may be construed as an ironic twist, Tigger/Syzor tries to remove other forms of malware (up to 20 different types) from its host computer. Experts feel that this was included to try and make the computer act as normal as possible. The part that I find intriguing is how it does all of this while keeping a very low profile. Ligh further explained how Tigger/Syzor is able to accomplish this:

"The method that it uses to fork commands to the system and capture the output involves the use of temporary desktop stations so that window messages output by the programs don't get posted to the same desktop station as the logged-in user."

Tigger/Syzor targets people into stocks

While researching this resourceful piece of malware, I came across an article by Washington Post's Brian Krebs titled The Tigger Trojan: Icky, Sticky Stuff and immediately noticed that this trojan introduced yet another unique twist. For some reason, Tigger/Syzor is specifically targeting people that work for or are customers of firms that trade stocks and options. According to Krebs, it's a very short specific list:

"Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade."

My curiosity was greater than my concern of yet another tirade from my friend, so I called and asked if he had dealings with any of the above mentioned firms. Sure enough, he dealt with several of them on a regular basis. So beware if you are associated with any of those institutions.

Relatively unknown

Krebs mentioned that Ligh first found evidence of the Tigger/Syzor trojan in November of 2008. After four months, I thought there'd be more information about this trojan, but oddly there's not much at all. It could be due to the lack of rational displayed by the anti-malware industry when it comes to labeling these threats, causing me to miss some information. I doubt it though, it appears that Tigger/Syzor is just going about its business quietly.

Back to my friend's computer

The fact that it's relatively unknown had me wondering if I was going to have any luck in removing the trojan. I also could tell it was a smart piece of malware as it wouldn't allow me to install HiJackThis or MBAM. I didn't even try GMER, based on what Ligh mentioned in his article.

I used a trick that I learned from several TechRepublic members and renamed the MBAM installation file, which allowed MBAM to be installed. I then renamed the MBAM executable and it ran as well. I found several files that were considered malware by MBAM and removed them. Ran MBAM several more times, eventually resulting in a clean machine.

On the surface, I could tell the computer was now operating normally. Still, I didn't trust it and eventually rebuilt the system, just to be safe. I made an image this time as well. Still, I'm glad I took the time to determine what was happening. It sure was an eye-opening experience.

Final thoughts

I mentioned earlier that the Tigger/Syzor trojan is designed to be very quiet, leaving the user totally unaware of its presence. So my friend was fortunate in that something must not have been right between the operating system and the trojan as it was far from quiescent.

I'd like to leave you with one final thought from Michael Ligh as it's my perception as well:

"The scary part is, none of us are really sure how Tigger is even being distributed. I look at a lot of info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware."

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

102 comments
ogregator
ogregator

Get the feeling that it was a ticked off client or ex-staffer?

Photogenic Memory
Photogenic Memory

I have very little experience with programming languages other than bash( and I don;t do too much of it lately). However, this is very versatile trojan that's sophisticated. How do anti-virus companies keep up with this? Are they keeping up with this? I guess the only way to protect your systems is to freshly install them and keep programs in check by preventing changes to itself? I'm unsure. I'd hate for my home PC's to added to a bot-net without realizing it or worse have my personal info stolen. Kinda scary. Myself and my friends online are all following this article. Thanks for posting. It's a real treat. Hopefully; by the time my scan finishes, it'll end on a sweet note.

Jacky Howe
Jacky Howe

It could possibly take advantage of unpatched Systems prior to the MS08-066 update to infect Systems. That may as you say be the chink in the armor. It must be smart enough to stop that particular update if the System was infected prior to the update. Thank you for bringing it to our attention and for sharing the fix. It's certainly a nasty little bugger.

Wcoyote1
Wcoyote1

I agree with your assessment, Michael. This is definitely quite the malware-masterpiece. Insidious, quiet, unobtrusive, specific ... it's almost like the Navy Seal of malware. And that's what troubles me. What if this was designed with all the capabilities and specifically told to seek out a small community of users? For no other reason that to test it in a "live" environment. A little food for thought here. Relatively speaking, this critter has the capability to do just about anything asked of it without any real problems at all. It's been engineered to be stealthy, even to the extent of eliminating competitor programs just to throw off the proverbial scent. It can pass tons of normally secure information quietly and without raising a ruckus. And at this moment in time, it's being used on a very small segment of the population, almost like pinpoint bombing. So what's this thing really going to be used for?

jules-20
jules-20

I really liked your article. Although, extermely scary it was very enlighting.

igmuskala
igmuskala

Your subscription link at the bottom is messed up...

fvazquez
fvazquez

What a pitty that with less precious working time everyday, we have to spend it protecting and worrying about viruses and informatic menaces instead of dedicating our time to develop software or whatever is that we do... I have had to reinstall my computer several times last year because of some sort of virus even though I have kaspersky and Lavasoft's Ad-Aware... So I keep thinking that Antiviruses developing Companies are behind all this, after all who benefits making enormous profits when most of us suffer from information losses?... That's my humble opinion. Francisco Vazquez

bdunlop
bdunlop

Please could you let me know what you use for imaging machines for recovery?

Brother Martin de Porres
Brother Martin de Porres

When the computer industry evolves out of the 'wet nappy' stage, we will have systems to deal with this mischief. Like a 'Rapid Police Response Unit' in every City.....CRASH!....The offending door is kicked in with attitude, the mischief maker taken down to the Police Station and a few questions asked. "Who put you up to this?...we can go easy, or we can go hard! it's your choice!"

Michael Kassner
Michael Kassner

Michael Ligh has already reverse engineered it. He is considered an expert at that. I also suspect that they are keeping it under tight wraps. Once it gets better known, I pretty sure others will reverse engineer it as well and Tigger or variants of Tigger will become more popular in the wild.

Michael Kassner
Michael Kassner

Hey, Jacky First it's a bit off topic, but I wanted to ask if you were OK and not affected by those terrible fires in your homeland. Second, you nailed a huge frustration point of mine. I have no idea as to when Tigger was let loose. Michael Ligh is huge in my world. Both him and Dr. Jose Nazario are the premier experts/sources in this field, IMO. Yet, Michael initially found Tigger in November and MS08-066 was released on the normal 14 Oct 2008 release schedule. So I'm clueless as to any kind of time line.

Michael Kassner
Michael Kassner

It almost seems like it' being wasted on such a small population of targets. Still the other issue is that there is precious little information on how it spreads.

xspecx
xspecx

it could only mean that the virus has made itself a patch that keeps the processor running without any interrupt phases! the very mean method to "BURN OUT" your processor if not stopped before it's too late!

Michael Kassner
Michael Kassner

I think I fixed it now. Please try again. I'd love to have you get the newsletter.

JCitizen
JCitizen

if you expect to defend your PC or network. A blended defense is the only way to minimize the risk. Windows has a drive lock utility (free I think) that would totally keep any malware from modifiying the operating system drive. Files have to be stored off primary partition or drive, however. Any secondary drive would do.

M.Ranck
M.Ranck

Being a patriot I almost hate to suggest that I wouldn't be half surprised to learn our own government could be behind at least some of the threats out there. Think about it? How better to ensure that our computer defenses are secured by introducing malware into the environment and letting the private sector analyze and develop the solution? That certainly would over time plug hole after hole. Makes you wonder how many holes there are! ;-)

Michael Kassner
Michael Kassner

Are in agreement with you. I'm kind of ambivalent. If any evidence was found it would totally ruin the company. I'm not sure if that's worth the risk. As I've said on many occasion, it is one heck of a business plan though.

Photogenic Memory
Photogenic Memory

I was debating about going to see the Friday the 13th remake but this tops it well over! LOL! When you think of programs like this; I wouldn't think of mainly as targeting a select group of people. Probably this program was developed as some sort of intelligence gathering device that was "repurposed" by a talented individual. I can only have dreams of having skills like that. But, the collection of peoples precious private info is disturbing and evil. Overall, no one is safe. Since this is financially motivated; I wouldn't worry about an OS killer lurking out there. However, you can't be too sure about the next person who reverse engineer's it and decides to do something grand and utterly stupid. Thanks Michael! You 've got great resources and good instincts. Thanks for sharing. I've come to rely on your insight.

Jacky Howe
Jacky Howe

No they were nowhere near me Micheal and thanks for your concern but the Bushfires were well to the south of where I live. Unfortunately those fires were an accident waiting to happen and you can't help but feel for the families involved. The MS08-066 update was performed on the 15/10/08 on my main System. The Tigger/Syzor could have been in the wild for some time before it was picked up. We are very lucky to have people like Michael Kassner, Michael Ligh and Dr. Jose Nazario doing the work that they do. I certainly take my hat off to them. Depending on the Virus, Malware and Spyware I sometimes like to check the users history if it is available to see where they might have been. It sometimes provides an indication as to the source of the infection but it isn't always reliable.

kh_aussie
kh_aussie

$NtUninstallKB956803$ according to what I have found, is only relevent to XP users. Is this correct?

Michael Kassner
Michael Kassner

Oh, by the way, I tried Comodo and it worked well on one computer and kept locking up another. Both are the same image, weird.

richard
richard

the latest ghost is fine for home pcs. besr (backup exec system recovery from) is better for corporate systems and includes restore to disimilar hardware. Ghost is really a modified version of BESR - not the old dos based product). the acronis products are largely equivalent.

JCitizen
JCitizen

remote control is considered such a feature now days, nobody wants to do without it. I can see why people like it, but I've done without, since 2005. I can live without it.

Michael Kassner
Michael Kassner

That if a great hardware solution was found, none of the software types would be able to setup back doors.

JCitizen
JCitizen

with all the hype and no substance, I think they were just trying to wallpaper their mistakes.(Intel) It also looks like core boot has foiled hardware TPM by trapping the original data and forwarding TPM calls to the processor. I can't help but feel there is a hardware solution that would be extremely hard to defeat. It just takes a little more priority by the ciruit designers and a little less gimikry by the vendor's developers.

seanferd
seanferd

Don't know if was ever fixed. And the crazy Flash site and rock videos (directed by Christopher Guest) are gone. Lame.

Michael Kassner
Michael Kassner

I was think more along the lines of TPM. I'll look into Pro though, I'm not completely familiar with it.

JCitizen
JCitizen

I never could make heads or tails out of that product, too much sales and not enough substance on the information!

Michael Kassner
Michael Kassner

The real answer will have to be hardware-based. Sophisticated malware is operating at levels equal to or before the kernel gets going. So anything that you install at the applications level can be controlled by the malware. Which renders that application useless.

JCitizen
JCitizen

Michael, that with the increasing sophistication of malware nowdays, one can only feel assured by using either full drive encryption or some kind of drive lock like the free Microsoft utility, or DeepFreeze? Or perhaps both?

Michael Kassner
Michael Kassner

I appreciate your support and insightful comments. I also hope that being informed will benefit all of us.

Michael Kassner
Michael Kassner

I guess you can tell I have an interest in this stuff.

JCitizen
JCitizen

and particularly where Michael is involved. He really rules in the security area! :) No response necessary Michael; just fact!

Michael Kassner
Michael Kassner

You have at least a zillion points for helping people, yet you say things like that. It's extremely appreciated. I love IT security and live for writing about this stuff. Especially when extremely significant types such as yourself want to hear about it. Thank you. Oh, as an aside, I'd love your take on my latest article: http://blogs.techrepublic.com.com/security/?p=997

JCitizen
JCitizen

That will only be for a while! :(

Michael Kassner
Michael Kassner

The computer just locks up and the processor goes to 100% usage.

JCitizen
JCitizen

I assume they are the same make/model if they have identical images. I'd be curious to know if any alert were visable when it locks up the unit? Maybe some bug has disabled the visual alert side of defense plus? I do believe the consol is password lock capable. Hmmm! If you find the alerts disconcerting while on the administrative side, you can always temporatily disable defense+. I've never tried their Vista version, as I am unfortunately married to Norton right now. The UAC pretty near replaces it though. Although knowing what file was modifiy another would still be nice to know, when your incurable paranoid about computing; like me.

JCitizen
JCitizen

What I mean is continue to develope and sell Ghost or a newer version there of? When I investigated my failed use of Norton Ghost, I noticed it was still listed on the internet as being in that business still. I quit using Symantec's version for reasons sited by you on this thread. The installed version was a disaster.

Michael Kassner
Michael Kassner

You sold me. I'm going to get it for one of my clients.

cbader
cbader

Yea, its great. I can image a machine and restore the image to dissimilar hardware, I can change the name of the computer and either join it to a domain or workgroup, it will even change the SID of the machine. You have a lot of options with it.

Michael Kassner
Michael Kassner

Have you any thoughts about Snap Deploy? I think I'm going to bite as it has all sorts of neat features.

cbader
cbader

I have an Acronis PXE server at my office and at my datacenter and they are great. Like you I really dont like Symantec products, so I like having the alternative. I also use Acronis True Image at home. No complaints about any of Acronis' software offerings.

richard
richard

no - i've been using the products for DR mostly or to migrate to upgraded h/w. i typically use 2 types of backup at a client location: Imaging and Tape, Imaging and Remote Storage.

Michael Kassner
Michael Kassner

Richard, have you looked at Snap Deploy? It has a lot of neat features. I guess my problem is that I'm really adverse to anything from Symantec at this point.

Editor's Picks