Trojan Impersonates Windows Activation to Snatch Data

Symantec Corp. researchers Friday warned of an in-the-wild Trojan
horse that poses as a Windows activation program to dupe users into
entering credit card information in an attempt to reanimate their
machines.

Dubbed Kardphisher, the Trojan is nothing much
technically, reported Takashi Katsuki, a Symantec researcher. But its
author has "obviously taken great pains to make it appear legitimate."

Once
the Trojan's installed, it throws up an official-looking screen that
claims the user's copy of Windows was activated by someone else. "To
help reduce software piracy, please re-activate your copy of Windows
now," the screen reads. "We will ask you for your billing details, but
your credit card will NOT be charged."

Selecting "No," said
Katsuki, shuts down the PC. "Yes," meanwhile, takes the user to a
second screen where he or she is asked to enter her name and credit
card information, which is then transmitted to the hacker's server.
"This Trojan teaches us all a good lesson," added Katsuki. "Trust no
one."

Details on the Trojan's bogus re-activation screens
look legit, and it plays off real-world behavior by Windows. The Web
site referenced on the first screen, for instance, is actually
Microsoft's own anti-piracy site. And in some situations, such as after
a user makes substantial hardware changes, Windows XP will demand
reactivation. Microsoft, however, never demands any personal
information, such as a credit card, during activation.

The
newer Windows Vista, which is not targeted by Kardphisher, is even more
likely to require reactivation. In fact, Microsoft patched Vista in
January to quash a bug in the OS's anti-piracy technology that was
erroneously telling users they needed to reactivate.