The Trojan downloaded to PCs from compromised IIS servers was almost certainly the work of HangUP, a security firm said Thursday, more proof that the infamous Russian hacker group was behind last week's Web attack.
F-Secure's analysis of the Padador/Qukart code discovered a �copyright� message in the first seven variants. According to the Finnish security firm, the Trojan contain the phrase �Padonok coded by HangUP Team.�
('Padonok' is a known HangUP project name, and is a misspelling of the Russian word 'podonok, which means 'scum,' said F-Secure.)
Later versions of the Trojan included only the word �Padonok� embedded in their code.
�Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents,� said F-Secure in a statement.
The Trojan horse, which was surreptitiously downloaded to machines running Internet Explorer from infected Internet Information Services (IIS) servers last week, watched for log in information for prominent sites such as PayPal, eBay, EarthLink, and Yahoo, then attempted to steal confidential financial information such as credit card numbers with a phishing-style scam.
The attack was stymied a week ago when the hacker site delivering the Padador Trojan, and other malicious components, was taken offline.
On Friday, Microsoft posted a stop-gap measure for preventing future attacks from exploiting the unpatched vulnerability in Internet Explorer which was among the causes of last week's Web infection. A formal security patch, however, has not yet been released.
You can view the original article here...
http://www.techweb.com/wire/story/TWB20040702S0002
