Tigger : The Pandora’s Box Triggered!

Written by: Divya Mohan • Edited by: Bill Bunter
Updated Feb 4, 2011 • Related Guides: Malware | Windows | Operating System

The malware family's lineage continues to proliferate with another malicious software-Tigger's attack. Compromising the PC's, exploiting a particular vulnerability in Windows , this trojan, targeted the stock traders. What makes it all the more menacing is -it removes other rogue security software!

Next up: ►

Slide 1 of 4

Alert!!! “your computer is infected go buy our software!" A red pop-up on my screen which enticed me into clicking the alarm button on it, turned out be a nightmare for me. Every time after that the IE window opened with repeated warnings of data being transferred or stolen. As a novice in fighting Malware, I tried HiJackThis , TrojanRemover , but they wouldn’t even install. I felt reformatting was the only way to break the stranglehold. Deluge of news on the outbreak of the new malware preying silently on the host PC’s compelled me to trace its roots.

“Tigger” - oh no! this is not the bouncing black stripped exuberant animated cartoon character ; this is the functionally diverse malicious software . Analysts at Sterling, VA based security intelligence firm iDefense first spotted this trojan in November 2008.None of the 37 anti-virus products they tested it against recognized it. One month later, one anti malware - AntiVir detected it.

This data – stealing malware has infested more than quarter million Microsoft Windows systems according to iDefense's examination of log files recovered from one of the web servers Tigger uses to download code. Packed with code that doesn’t use TerminateProcess to kill anti-virus software and camouflaged as a virtually invisible program Tigger is designed to elude even the best of malware forensic experts.

Slide 2 of 4

Does your computer have MS08-066 Windows update? Well, my computer became a victim because Windows update cycle somehow never installed this fixed patch. According to Micheal Ligh, an iDefense security analyst, Tigger/Syzor is one of the most sophisticated piece of malware that exists today:

“The trojan uses privilege escalation vulnerability (MS08-066), which is almost an exact replica of the public exploit on Milw0rm. It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products in unique ways such as posting malformed messages to windows owned by the daemon processes, sending special byte codes over named pipes, and using the products’ own API.” he says

Exploiting the “Privilege Escalation” vulnerability, the intruder gains access to the legitimate "administrator" account in Windows. The rootkit is then installed which cloaks his activities, thereby allowing him to maintain administrator access without the knowledge of the system owner. Rootkit is a malicious program designed to hide the processes and files the attacker installs on the system. It is intended to seize control of the operating system running on the hardware. Typically, rootkits obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Rootkit, which originated as a regular application to monitor unresponsive systems is now the latest malware family’s lethal weapon to avert detection. A successfully-installed rootkit allows unauthorized users to maintain access as system administrators, and thus takes full control of the 'rooted' system. iDefense, further asserts : “It installs a rootkit that runs in safe mode. The rootkit disables kernel debuggers, hooks FAT and NTFS file system drivers, and also prevents other processes from accessing the kernel driver’s memory. It also steals web cookies, steals certificates, and puts the NIC in promiscuous mode to sniff FTP and POP3 passwords.”

Slide 3 of 4

The trojan also logs keystrokes, gathers system information, enables a backdoor on the compromised computer. Subsequently furnishes the non-privileged user with super user privileges by secretly replacing the login mechanism, to permit the invader to operate the system at his will.

iDefense concluded that the most scary and unique feature of this resourceful piece of malware is : “the first info-stealing malware, that goes to the trouble of removing other pieces of malware” . This low profile Tigger removes all the rogue security software titles only to project the façade of “a normally operating computer”. No wonder the red alert button tricked me into believing it’s fallacious anti-malware like properties.

iDefense affirms that Tigger seemed to be designed to exploit mainly customers or employees of stock and options trading firms. Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct Share Builder, Vanguard, Options XPress, TD Ameritrade and Scottrade.

I now know from where the plague afflicted my PC. Starting off as a first- time day trader on that unfortunate day, my market terms now have more of “Tigers” than “Bulls” and “Bears”!

Slide 4 of 4

Key steps in keeping your system in the safest state:

· Running Windows under a limited user account

· Staying up- to - date on latest patches

· Make an image of your system / maintain a back up

And if Tigger did bounce your way, then:

· A combination of VIPRE Rescue, Asquared, Trojan Remover and Avira Antivir

· Malwarebytes antimalware and SuperAntiSpyware

might close this “Pandora’s Box”!

◄ ●●●● ►