• United States



by Dave Gradijan

Trojan Impersonates Windows Activation Program to Steal Data

May 05, 20072 mins
Build AutomationCSO and CISO

Symantec researchers Friday warned of an in-the-wild Trojan horse that poses as a Windows activation program to dupe users into entering credit card information in an attempt to reanimate their machines.

Dubbed Kardphisher, the Trojan is nothing much technically, reported Takashi Katsuki, a Symantec researcher. But its author has “obviously taken great pains to make it appear legitimate.”

Once the Trojan is installed, it throws up an official-looking screen that claims the user’s copy of Windows was activated by someone else. “To help reduce software piracy, please re-activate your copy of Windows now,” the screen reads. “We will ask you for your billing details, but your credit card will NOT be charged.”

Selecting “No,” said Katsuki, shuts down the PC. “Yes,” meanwhile, takes the user to a second screen where he or she is asked to enter her name and credit card information, which is then transmitted to the hacker’s server. “This Trojan teaches us all a good lesson,” added Katsuki. “Trust no one.”

Details on the Trojan’s bogus reactivation screens look legit, and it plays off real-world behavior by Windows. The website referenced on the first screen, for instance, is actually Microsoft’s own antipiracy site. And in some situations, such as after a user makes substantial hardware changes, Windows XP will demand reactivation. Microsoft, however, never demands any personal information, such as a credit card, during activation.

The newer Windows Vista, which is not targeted by Kardphisher, is even more likely to require reactivation. In fact, Microsoft patched Vista in January to quash a bug in the OS’s antipiracy technology that was erroneously telling users they needed to reactivate.

-Gregg Keizer, Computerworld