On CHOW: Groundbreaking hangover cure
BNET Business Network:
BNET
TechRepublic
ZDNet

November 18th, 2008

Fake Windows XP activation trojan goes 2.0

Posted by Dancho Danchev @ 7:23 pm

Categories: Anti Virus, Botnets, Browsers, Hackers, Malware, Microsoft, Passwords, Privacy

Tags: Security, Cybercrime, Crimeware, Social Engineering, Windows XP, Dancho Danchev

Fake Windows XP activation trojanKnown as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

Fake Windows XP activation trojanTheir credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate. Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. Moreover, a bogus “verified by Visa” message that is also requesting social security number and a date of birth makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonating Microsoft.

Fake Windows XP activation trojanThe latest Kardphisher may indeed by filling in all the gaps from the previous version, but the trojan can never scale as efficiently as crimeware “in the middle” does for the time being. Among the main growth factors for the increasing number of such malware remains the fact that throughout the entire year proprietary crimeware kits costing several thousand dollars on average started leaking out, allowing many new entrants to start using what once used to be a highly exclusive tool in the arsenal of the experienced cybercriminal.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 133 Talkback(s)
Re: Each OS has it's strong points and it's weaknesses.
Name some of Windows'.

(note: "lots of people use it", "it's cool", "lots of
people make games for it", "I like it lol" etc aren't
valid examples, since they have nothing to do with the
OS itself).... (Read the rest)
Posted by: AzuMao Posted on: 12/12/08 You are currently: a Guest | | Terms of Use
Why are you advertising the merits of a trojan?  T1Oracle | 11/19/08
Re: Why are you advertising the merits of a trojan?  ddanchevZDNet Moderator | 11/19/08
Or, you can switch to an Open Source OS.  914four | 11/19/08
Don't try to turn this into a MS thing  riveroad | 11/19/08
Ahh... Yes it is a Microsoft thing.  rtalbert | 11/19/08
Let's try this yet again  rpmyers1 | 11/19/08
Rofl RUNNING programs is MS problem  mikes2nd | 11/19/08
Nice reply rpmyers1!  10W1V1 | 11/19/08
That's because Windbloze users...  hasta la Vista, bah-bie | 11/20/08
More accurately...  MKleinpaste | 11/21/08
Re: Ahh... Yes it is a Microsoft thing  Some guy_z | 11/20/08
No! In Linux you never grant the user Administrator rights  tracy anne | 11/20/08
If you do that...  hasta la Vista, bah-bie | 11/20/08
guy_z, that'd be equivilent to..  AzuMao | 11/20/08
clue_less  wargammer2005 | 11/20/08
But this IS a Microsoft thing.  AzuMao | 11/19/08
Clueless...  agohige | 11/20/08
Grandma's & Grandpa's?  tomweeks@... | 11/20/08
From Grandma  pokyjo | 11/27/08
Too True  rm.squires@... | 12/04/08
Yeah right  10W1V1 | 11/19/08
You CAN'T be that dense  Dr. John | 11/19/08
Except with a bit of common sense. . .  Computer_User_1024 | 11/19/08
and your point is......  sjbinaz | 11/19/08
I'm happy for you  Dr. John | 11/20/08
Why do you bother  AzuMao | 11/20/08
But first  tracy anne | 11/20/08
Ahh... Yes it is a Microsoft thing.  rtalbert | 11/20/08
Can't argue with that.  Dr. John | 11/20/08
You're in denial, Dr. John  hasta la Vista, bah-bie | 11/21/08
Note to b8375629  Dr. John | 11/24/08
Can't argue with Dr. John  AzuMao | 11/25/08
Sounds like the 'good' Doctor's ego...  hasta la Vista, bah-bie | 11/26/08
Hack-proof servers?  Dr. John | 11/20/08
I never said Linux is immune.  tracy anne | 11/21/08
Re: tracy anne  AzuMao | 11/21/08
The same way you do on Windows.  Bozzer | 11/22/08
But on Windows  AzuMao | 11/22/08
Relax Bozzer  Dr. John | 11/24/08
Not an advertisement, A PSA  Flying Pig | 11/19/08
I agree  B.Beck | 11/19/08
Re: I agree  ddanchevZDNet Moderator | 11/19/08
Thank you.  Computer_User_1024 | 11/19/08
Nobody cares that criminals are doing this  AzuMao | 11/20/08
That's exactly the point!  lagosv@... | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  dparsons@... | 11/19/08
I do not agree...  Computer_User_1024 | 11/19/08
Committed to your "piracy"  pkmartin82 | 11/19/08
haha  midenginedrift | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  Red Elk | 11/19/08
Punishment  davolente@... | 11/19/08
Hang him high  rktompsett | 11/19/08
good idea!...  nmsyguy | 11/19/08
Message has been deleted.  AzuMao | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  SteelTrepid | 11/19/08
I agree  robinreneeo | 11/19/08
I second that  914four | 11/19/08
So, what do we do now?  ksheppard@... | 11/19/08
Use caution  SteelTrepid | 11/19/08
Thank you, Mr. Steel.  ksheppard@... | 11/20/08
Blame the user, right.  TripleII | 11/19/08
tend to agree  rm.squires@... | 12/04/08
The problem isn't that it's not perfect  AzuMao | 12/05/08
Actually  AzuMao | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  vbuiv@... | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  cloudshadow | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  ceo@... | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  KopaKrptik | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  hilda4jc | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  Rodgernewbern | 11/19/08
Better New Law!  jimfishes | 11/20/08
RE: Fake Windows XP activation trojan goes 2.0  rktompsett | 11/19/08
MS can solve this for about $4 per DVD.  TripleII | 11/19/08
Reinstall  The Smoking Man | 11/19/08
No problem.  TripleII | 11/19/08
not the problem  sjbinaz | 11/19/08
Probably less effective though...  TripleII | 11/20/08
Are you feeling okay?  AzuMao | 11/20/08
RE: Fake Windows XP activation trojan goes 2.0  rohmor@... | 11/19/08
Correction  rohmor@... | 11/19/08
If and only if  AzuMao | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  tracy anne | 11/19/08
The thing is  tracy anne | 11/19/08
Typical fanboy response, blaming everything on one OS.  AzuMao | 11/20/08
Use Wine to activate Linux?  Ole Man | 11/20/08
Um  tracy anne | 11/20/08
Or use Wine to activate Linux?  Ole Man | 11/20/08
Of course  tracy anne | 11/21/08
Thank you for the laugh.  TripleII | 11/21/08
RE: Fake Windows XP activation trojan goes 2.0  atari8bit@... | 11/19/08
RE: Fake Windows XP activation trojan goes 2.0  eldeanio | 11/19/08
Removal tool?  kokuryu | 11/19/08
Yes, a lot of stupid replies as usual  zdnet@... | 11/19/08
AMEN (nt)  sjbinaz | 11/19/08
This is most unlikely on a Linux Machine  tracy anne | 11/20/08
And there you have it!  Ole Man | 11/20/08
WRONG again!  AzuMao | 11/21/08
Puh-leasee.....  hasta la Vista, bah-bie | 11/20/08
Or worse than that  Ole Man | 11/20/08
Sounds like you're the stupid one.  AzuMao | 11/20/08
You article sound like phake!  feskridge@... | 11/19/08
Grammar, No Advice, Late April Fools (Fake)  KeithAu001 | 11/19/08
Some of you act like its obvious that MS would not do this...  davagain | 11/19/08
I have no sympathy for people caught by this  tracy anne | 11/19/08
No Sympathy?  Steve C-1 | 11/20/08
Oh the solution  tracy anne | 11/20/08
*nix  AzuMao | 11/20/08
How the hell can you NOT know how to recognize it after  AzuMao | 11/20/08
RE: Fake Windows XP activation trojan goes 2.0  Puppy love | 11/19/08
Wow  tracy anne | 11/20/08
WOW take your head out of ........  sjbinaz | 11/20/08
I just provided an easy to implement solution  tracy anne | 11/20/08
It needs activation because..  AzuMao | 11/20/08
The Evil Genius of XP Antivirus  no_zd_user_name | 11/20/08
Shouldn't that be  tracy anne | 11/20/08
Or Maybe  sjbinaz | 11/20/08
I wasn't making one  tracy anne | 11/20/08
Be careful  AzuMao | 11/21/08
Wrong again, tracy anne!  AzuMao | 11/20/08
Of course, I forgot  tracy anne | 11/20/08
RE: Fake Windows XP activation trojan goes 2.0  alpinesoft | 11/20/08
RE: Fake Windows XP activation trojan goes 2.0  wellduh | 11/20/08
Idiots  Kaiwai | 11/20/08
No!  AzuMao | 11/21/08
RE: Fake Windows XP activation trojan goes 2.0  NTTP | 11/20/08
The point isn't just the technical aspect, anyways  AzuMao | 11/21/08
Those who use Linux only, and have never used Windows  Ole Man | 11/22/08
Grrr  AzuMao | 11/23/08
That's where the pirates come in..  t4Cap | 12/07/08
This aint so new as you think:  XweAponX | 11/26/08
RE: Fake Windows XP activation trojan goes 2.0  t4Cap | 12/07/08
RE: Fake Windows XP activation trojan goes 2.0  anthraxpants@... | 12/11/08
Re: Each OS has it's strong points and it's weaknesses.  AzuMao | 12/12/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here