Australia's Leading Computer Emergency Response Team

Media Release - Response to recent media coverage of the A-311 Death (aka: Haxdoor) trojan
Date: 04 August 2006
Original URL: http://www.auscert.org.au/render.html?cid=3000&it=6581
References: AL-2006.0049  

Introduction


In recent days there has been a significant amount of media attention regarding the A-311 Death Trojan (also known as Haxdoor) [1][2][3].

On Wednesday 2 August 2006 the Australian Taxation Office released a statement regarding virus infections which had captured tax file numbers. This media release attempts to clarify a number of points regarding AusCERT's handling of this incident.

The "National Bank bankrupt" trojan incident


In mid-June AusCERT observed spam and posts to online discussion forums which claimed that the "National Bank" was bankrupt. To get further information, readers of the spam and posts were encouraged to click on a URL link. In doing so, the user's computer would, in most cases, become infected with the trojan.

AusCERT responded to this threat by publishing an alert [4] and requested that ISPs and domain name registrars which were hosting sites (or had registered domains) act to stop this attack. Analysis of this malicious software (malware) showed that most anti-virus packages did not detect this trojan at the time it was released. AusCERT routinely sends malware samples to AV vendors, including on this occasion.

In responding to this incident, AusCERT received information which allowed us to identify some computers infected by this trojan, including in Australia. AusCERT has attempted to securely distribute this information back to key stakeholders in Australia and elsewhere. Approximately 10,000 computers in Australia have been infected with this trojan and 35,000 world wide. It is AusCERT's assessment that these infections are likely to have occurred through other spam runs and haxdoor variants not just one associated with the National Bank bankrupt URLs.

AusCERT has observed several instances where a variant of this trojan has been built by attackers and hosted on malicious web sites. Links to these web sites are then sent out in spam. Each new variant is generally not detected during its initial release by most anti-virus software (this is most likely, by design). Once a system is infected with this trojan, then it will often disable anti-virus software, so it will continue to remain undetected.

Various anti-virus vendors have published analysis of these trojans variants which they have called "Haxdoor" [5][6][7].

Frequently Asked Questions


  1. Are you saying that anti-virus is not effective?

    No, AusCERT still recommends that people use antivirus software.

    Up to date antivirus software provides protection against known malicious software, however it needs to be used in conjunction with other protection mechanisms [9].


  2. Is this type of trojan attack common?

    Yes, since 2004 AusCERT has seen an increasing number of these types of attacks which are aimed primarily at stealing personal and financial data. This is not an isolated incident and the information below is generally applicable to these types of trojan and malware attacks.


  3. How can I protect myself from infection from this (and other) trojan attacks?

    There is no single "silver bullet" that can protect a system from malware infection. However, compromise by malicious code can be often prevented through a combination of counter-measures and good security practices. For full details on these counter measures, please see the AusCERT's document "Protecting your computer from malicious code" [8]. It is also important to note that this particular trojan required user interaction (clicking on a web link) to infect a computer. It does not self-propagate like a worm.


  4. I use SSL when exchanging sensitive information, won't that protect me from these trojans?

    SSL provides encryption protection between your computer and the remote site with which you are connected. If your computer is already compromised with an input/output monitoring trojan, SSL cannot prevent the trojan from capturing web form data, keystrokes, and passwords.

  5. How do I know if I'm infected?

    Due to the stealthing (rootkit) and anti-virus disabling capabilities of this malware, a clean scan with an anti-virus product may not guarantee that you are free from infection. However, AusCERT has received reports that rootkit detection tools such as RootkitRevealer [9] may detect malicious files.

    AusCERT has also attempted to notify affected organisations where information relates to their customers, so notification from an institution that your account has been compromised may also indicate infection. The institution involved should be able to inform you whether the compromise relates to the Haxdoor trojan.

  6. I think I'm compromised, what should I do?

    Unfortunately, once infected it is difficult to detect that you are infected and removing this malicious software is not trivial. AusCERT is not able to provide a tool or instructions to remove it. We recommend that you contact an IT professional or your anti-virus vendor for detailed removal instructions.

    AusCERT suggests that ultimately re-installation of the operating system from the original installation media is the only way to be confident that all traces of the malware has been removed. Additional information is available from other AusCERT publications [8].


  7. Does this trojan target e-tax client software?

    AusCERT has not seen any evidence that this trojan targets taxation information or the e-tax client software specifically. The e-tax software does use certain web browser components and because of this, e-tax information may be vulnerable.

References



[1] Sydney Morning Herald - Identity theft virus infects 10,000 computers

[2] ABC News Online - Trojan infects 10,000 Australian PCs

[3] The Age - Precision phishing on the up and up

[4] AL-2006.0049 -- [Win] -- Malicious "National Bank bankrupt" email links to sites targeting multiple web browsers

[5] F-Secure Virus Information Pages: Haxdoor.M

[6] Backdoor.Haxdoor.M - Symantec.com

[7] Troj/Haxdoor-HM - Trojan - Sophos threat analysis

[8] Protecting your computer from malicious code

[9] Sysinternals Freeware - RootkitRevealer