Infostealer is a detection name used by Symantec to identify malicious software programs that gathers confidential information from the compromised computer.
Background informationBack in the day, Infostealers were known by several names including Keyloggers and Password Stealers. These malicious keystroke capturing programs were created to steal login credentials and passwords, product keys for software programs, and game credentials and passwords. At that time, stealing information wasn't a big market and money-maker. Games weren't online then, being played solely on the computer so giving friends access to software products or computer game access was one way of getting recognition for the malware author.
Eventually, malware authors realized that there was money to be made by stealing particular types of information. Identity theft is big news these days for a very good reason. According to the U.S. Treasury Dept., every three seconds,
an identity is stolen online.
The virtual world has become just as busy as the real world. Games are now online. Shopping went online. Banking is conveniently online. Identity theft has now gone online and that criminal activity is a real gold mine. With the popularity of the Internet, capturing the login and password for online mail programs went from a petty means to harass a user or prove malware writing superiority to a financial windfall. Collecting email addresses is now a major business opportunity when selling this information to spammers.
Remote attackers creating botnets use the stolen computer information to continue expanding their networks. As this information can also be bought and sold, there is a profit motive driving the creation of botnets.
Who creates Infostealers?Infostealers are created by malware authors intending to make a profit by gathering various types of information and selling them to other criminals.
The stolen information can be worth considerable sums of money depending on the details involved. For example in 2008 it was
reported by Symantec researchers that some of the most popular items of information sold in the underground economy are:
- Credit card information - for between US$0.06 - $30 each.
- Bank accounts - for between US$10 - $1000 each depending on the balance.
- Email accounts - for between US$0.10 - $100 each
Given the sums of money involved for each item, it is clear why the malware authors try to scale their operations to gather as much information as possible in order to maximize profit potential.
What can Infostealers do?Infostealers gather information by using several techniques. The most common techniques include the following:
- Log key strokes
- Capture screen shots and Web cam images
- Monitor Internet activity, often for specific financial web sites and then injecting extra fields in to the forms displayed in the browser
The stolen information may be stored locally so that it can be retrieved later or it can be sent to a remote location where it can be accessed by an attacker. It is often encrypted before posting it to the malware author.
What is stolen?Infostealers are configured to gather and sometimes send various types of information. This will depend on the needs and market niche of the remote attacker. Some malware authors focus on specific financial information and identity theft for profit, while others will steal information related to the compromised computer. Such information may seem innocuous, but in the hands of a botnet master can lead to more criminal activity.
Some of the financial information stolen by Infostealers include the following:
- Bank account information and passwords
- Credit card numbers
- Date of birth
- Names
- Phone numbers
- Security question details
- Social Security Numbers
Targeted sensitive computer information stolen by Infostealers include the following:
- Authentication cookies
- Computer name/Host name
- DNS details
- General Operating System information
- Geographic and browser version information
- IP address
- Network traffic information
- Private keys from system certificates
- Security-related information
- Software Information
- URLs visited
These Trojans may also attempt to steal confidential login credentials such as the following:
- Email addresses
- Login credentials/passwords for certain web sites
- Login details for FTP, IRC, POP3 email, and IMAP email
- Outlook account information
- User names and passwords
Are there any tell-tale signs?Infostealers are often designed to stay hidden to give the remote attacker as much information as possible so generally speaking, there will be no obvious tell-tale signs.
What are the risks?With confidential and sensitive information at stake, there is no minimal risk with an Infostealer. Identity theft is the highest risk posed by these Trojans and is a risk considered to be personally damaging to a user. Stealing personally identifiable information for profit has become a huge underground market with a devastating financial costs to the victims.
Are you at risk for identity theft? Check your risk assessment with Symantec's
risk assessment tool.
What can I do to minimize the risks?As a general rule, users should always run up-to-date antivirus software with real-time protection such as
Norton Antivirus, Norton Internet Security, Norton 360 or
Symantec Endpoint Protection. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block download activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent programs such as these from executing in the first place.
How can I find out more?Advanced users can submit a sample to
Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
