Tigger.A: Sophisticated trojan that likes stockbrokers

* Date: March 2nd, 2009
* Author: Michael Kassner


Customers and employees of firms that trade stocks and options beware, the Tigger.A trojan is targeting you. Learn how and why.
—————&...

Lately, I’ve been spending an inordinate amount of time fighting malware. My latest adventure started when a friend called me last Friday complaining that his computer was acting weird (his words). After a few questions, I sighed as the computer had all the signs of having caught something.

Normally this isn’t a big deal. I have a spare notebook that I let people use while I’m working on their computer and my friend was counting on that. His stress level went up considerably once I told him that the spare was already loaned out. It seemed like only seconds later that my friend dropped off the computer and said please help.

To explain, my friend makes his living as a day trader (even in these tough times) and he needed his computer by early Sunday evening for the Far East stock markets. After his ranting subsided, I couldn’t resist mentioning about all the times I reminded him that he needed to have a spare computer just for situations like this. I’m not going to repeat what he said.

Curiosity prevented an immediate rebuild

I normally consider this type of problem an immediate rebuild, but I wasn’t looking forward to that as I’d forgotten to image his computer when I originally set it up. That hesitation coupled with the fact that I wasn’t super busy, (don’t tell my friend that) allowed my curiosity to get the best of me. I really wanted to find out what was causing the problem, simply because I setup his computer identical to mine. I also know he religiously keeps his computer up to date. So this shouldn’t have happened, as he told me repeatedly.

Thankfully, I didn’t have to worry about data as my friend keeps all of his files on secure flash drives. So, I started investigating, at least as much as I could. The computer was indeed acting flaky. One thing that I look at first is the list of Microsoft updates that are installed on the computer.

I use Windows explorer to drill down to C:\Windows and all the updates are listed there. As I compared what was visible on my friend’s computer to a known good list I noticed that $NtUninstallKB956803$ was missing. Hmmm. That update refers to MS08-066. I wonder why that didn’t get installed during the Windows Update cycle. Could that be the chink in the armor? The above slide shows what is supposed to be there:

Malware named Tigger, how dare they

Before I started scanning the problematic computer, I did some digging on the Internet. Almost immediately, I came across an article titled Why I Enjoyed Tigger/Syzor by Michael Ligh an iDefense security analyst and malware reconstruction expert. Whoa, that’s one bad trojan. According to Ligh, Tigger/Syzor is one of the most sophisticated pieces of malware that exists today:

“The trojan uses a privilege escalation vulnerability (MS08-066), which is almost an exact replica of the public exploit on Milw0rm. It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products in unique ways such as posting malformed messages to windows owned by the daemon processes, sending special byte codes over named pipes, and using the products’ own API.”

Did you notice the reference to MS08-066? That’s what tripped my Google search and caught my attention. Ligh continues to explain:

“It installs a rootkit that runs in safe mode. The rootkit disables kernel debuggers, hooks FAT and NTFS file system drivers, and also prevents other processes from accessing the kernel driver’s memory so tools like GMER and IceSword can’t recover the .sys from RAM.

Tigger of course also injects code into user-mode processes. This component takes screen shots, hooks COM for spying on browser events, and exports passwords (protected storage, network and dial-up, and at least 11 popular chat, email, and remote access applications). It also steals web cookies, steals certificates, and puts the NIC in promiscuous mode to sniff FTP and POP3 passwords.”

Just those abilities make Tigger/Syzor pretty impressive as trojans go. Yet the list goes one. According to ThreatExpert.com, the trojan also logs keystrokes, collects system information, enables a backdoor on compromised computers, finally trying to initiate communications with command and control servers. To learn what domains are being used check out the Malware Domain List Web site.

Tigger/Syzor tries to do some good

In what may be construed as an ironic twist, Tigger/Syzor tries to remove other forms of malware (up to 20 different types) from its host computer. Experts feel that this was included to try and make the computer act as normal as possible. The part that I find intriguing is how it does all of this while keeping a very low profile. Ligh further explained how Tigger/Syzor is able to accomplish this:

“The method that it uses to fork commands to the system and capture the output involves the use of temporary desktop stations so that window messages output by the programs don’t get posted to the same desktop station as the logged-in user.”

Tigger/Syzor targets people into stocks

While researching this resourceful piece of malware, I came across an article by Washington Post’s Brian Krebs titled The Tigger Trojan: Icky, Sticky Stuff and immediately noticed that this trojan introduced yet another unique twist. For some reason, Tigger/Syzor is specifically targeting people that work for or are customers of firms that trade stocks and options. According to Krebs, it’s a very short specific list:

“Among the unusually short list of institutions specifically targeted by Tigger are E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade.”

My curiosity was greater than my concern of yet another tirade from my friend, so I called and asked if he had dealings with any of the above mentioned firms. Sure enough, he dealt with several of them on a regular basis. So beware if you are associated with any of those institutions.

Relatively unknown

Krebs mentioned that Ligh first found evidence of the Tigger/Syzor trojan in November of 2008. After four months, I thought there’d be more information about this trojan, but oddly there’s not much at all. It could be due to the lack of rational displayed by the anti-malware industry when it comes to labeling these threats, causing me to miss some information. I doubt it though, it appears that Tigger/Syzor is just going about its business quietly.

Back to my friend’s computer

The fact that it’s relatively unknown had me wondering if I was going to have any luck in removing the trojan. I also could tell it was a smart piece of malware as it wouldn’t allow me to install HiJackThis or MBAM. I didn’t even try GMER, based on what Ligh mentioned in his article.

I used a trick that I learned from several TechRepublic members and renamed the MBAM installation file, which allowed MBAM to be installed. I then renamed the MBAM executable and it ran as well. I found several files that were considered malware by MBAM and removed them. Ran MBAM several more times, eventually resulting in a clean machine.

On the surface, I could tell the computer was now operating normally. Still, I didn’t trust it and eventually rebuilt the system, just to be safe. I made an image this time as well. Still, I’m glad I took the time to determine what was happening. It sure was an eye-opening experience.

Final thoughts

I mentioned earlier that the Tigger/Syzor trojan is designed to be very quiet, leaving the user totally unaware of its presence. So my friend was fortunate in that something must not have been right between the operating system and the trojan as it was far from quiescent.

I’d like to leave you with one final thought from Michael Ligh as it’s my perception as well:

“The scary part is, none of us are really sure how Tigger is even being distributed. I look at a lot of info-stealing malware, and this is the first one I’ve seen in a while that goes to the trouble of removing other pieces of malware.”

Worried about security issues? Who isn’t? Delivered each Tuesday, TechRepublic’s IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

Michael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net.