A Monster Trojan

Symantec Weblog - August 17, 2007
Amado Hidalgo

From symantec.com

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, Monster.com. It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.

Interestingly, only connections to the hiring.monster.com and recruiter.monster.com subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.

Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.

The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.

This remote server held over 1.6 million entries with personal information belonging to several hundred thousands candidates, mainly based in the US, who had posted their resumes to the Monster.com Web site.

Such a large database of highly personal information is a spammer’s dream. In fact, we found the Trojan can be instructed to send spam email using a mail template downloadable from the command & control server.

The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by Trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo—hardly a coincidence.

Furthermore, Trojan.Gpcoder.E has reportedly been spammed in Monster.com phishing emails. These emails were very realistic, containing personal information of the victims. They requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of Trojan.Gpcoder.E. This Trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files. The code for Gpcoder is rather similar to that of Monstres, which may indicate the same hacker group is behind both Trojans.

We have informed Monster.com of the compromised Recruiter accounts so they can be disabled. To protect your identity when using recruitment sites, or at least limit your exposure to identity theft, you should limit the contact information you post on these sites, use a separate disposable email address and never disclose sensitive details such as your Social Security number, passport or driver’s license numbers, bank account information, etc to prospective employers until you have established they are legitimate.