Trojan infects 10,000 Australian PCs

By Simon Lauder for The World Today

A trojan known as A311 Death is estimated to have infected 10,000 computers in Australia.

The Australian Computer Emergency Response Team is investigating the program, which is believed to have come from Russia.

Chris Horsley, a AusCERT security analyst, says thousands of Australian PCs are infected, and the trojan is spreading fast.

"Our current estimate is around 10,000 but there's more infections worldwide," he said.

"They seem to be constantly feeding new runs of this particular trojan by a lot of different vectors."

The Australian Tax Office says the A311 Death trojan has been used to detect the tax file numbers of 200 people who have lodged their tax returns online.

Those people have all been offered new tax file numbers, and a spokeswoman says lodging a tax return online is still considered safe if users have the latest virus detection software.

But Mr Horsley says most anti-virus programs will not detect the trojan.

"Sometimes not. One of the methods that the trojan uses is disabling antivirus and also changing the operating system to hide its presence from the programs running on it," he said.

"So that's made detection in this particular case quite difficult."

But Peter Cassidy, from the US based Anti-Phishing Working Group, says virus protection is still a good idea.

"It offers probably as much protection as a seatbelt will," he said.

"None of it's perfect but you would never want to drive without wearing a seat belt.

"Antivirus is the same way. You'd rather have it than not."
Phishing

The trojan is the latest example of online phishing.

As the proceeds from electronic crime continue to grow - they topped $100 billion in 2004 - scammers are outsourcing phishing work to programmers to seize control of home computers.

"Program writers and people who control bot networks, basically aggregations of machines, that are controlled by a third party that's not paying for the service," Mr Cassidy said.

"They commandeer the machine and they then rent out their services to people who want to drive phishing attacks."

Mr Cassidy says a new type of technical subterfuge is emerging - programs that can retrieve data from a computer with no participation from the user.

"What we see happening is complete automation of phishing, and the submergence of phishing below detectable levels," he said.

"Phishing now, most of it, we can actually see.

"But, what we're seeing is a trend over time, over the years, is that crimeware as it develops, becomes very, very difficult to detect.

"And that future is already here in places like Brazil."

A311 Death is not quite as sophisticated as that but Mr Horsley, says it still has the ability to get as much data as the user puts into their computer.

"Generally, what they're looking for are ... every time you connect to a website, and you transmit data to that website, they're saving a copy of that data off," he said.

"That would include things like when you're connecting to webmail sites, when you're connecting to any sites involving credentials.

"Those are the main things they're after."

It's been around for a few years in various forms.

Backdoor/A311death/103.A.
related to Backdoor. Backdoor known as spyware related software starting every time the computer is started. Backdoor write itself into system registry, makes high network traffic which causes slow computer performance and internet connection speed. After backdoor has been installed on your system, hacker is able to fully control your system. New and unknown software can be remotely installed without your consent allowing hacker to monitor your system. Remove backdoor as soon as possible. Don't let to ruin your system!

Automatic Backdoor/A311 death 103.A.Server removal tools: available at various sites including 'Spy Sweeper' main site.