Tigger: Truly Interesting Trojan of the Day

[slgrieb]

Here's a nasty piece of work that got under my radar when it was brand new. Washington Post's Security Fix examination of the bug is fascinating.

A couple of highlights from the blog: "Tigger removes a long list of other malicious software titles, including the malware most commonly associated with Antivirus 2009 and other rogue security software titles. iDefense analysts say this is most likely done because the in-your-face "hey, your-computer-is-infected-go-buy-our-software!" type alerts generated by such programs just might tip off the victim that something is wrong with his system, and potentially lead to all invaders getting booted from the host PC."

"The scary part is, none of us are really sure how Tigger is even being distributed," Ligh said. "I look at a lot at info-stealing malware, and this is the first one I've seen in a while that goes to the trouble of removing other pieces of malware."

And from one of the responses to the story: "Tigger (or "Syzor" as Microsoft calls it) is one of the most functionally diverse trojans that I've seen. It was very fun to analyze code that for once doesn't use TerminateProcess to kill anti-virus software and doesn't just use SSDT hooks to hide files on disk. Brian Krebs wrote a piece on this trojan earlier today with a lot of critical information."

Most of the comments are worth a read as well, though you can ignore my re-iteration of stuff I've said here repeatedly.

[Niclo Iste]

Hmmm considering that it is capable of useful actions I'm curious how effective it is if used as a tool when in a controlled environment that would allow for me to manipulate it without it causing problems to the system. In other words if i know how to get rid of it I wonder if it's more useful a tool. One could possibly say it's similar to the dynamite used to help in construction of a mine. Of course I could always just wait for someone to make a sterile version of Tigger but I'd rather tinker with it until then hehe.

[slgrieb]

Reminds me of the subplot in Alien where we learn that the Company wants to retrieve the creature for weapons research

[Niclo Iste]

Reminds me of the subplot in Alien where we learn that the Company wants to retrieve the creature for weapons research

Just call me Weyland-Yutani

[Niclo Iste]

Hey SLGrieb I'm curious. If you ever have to deal with this infection do you mind sharing the info with me on what it was like to handle it? That or maybe if it's not a hassle have me remotely observe dealing with it so I can make some notes and learn of how it reacts.

[slgrieb]

As a rule, if I run up against anything weird and wonderful, I usually post about it. Sometimes, though, some of my experiences only make it onto the forum in response to other topics like what tools I like, etc. But I try to be consistent about reporting new, noteworthy nasties if I encounter them.

Edit: Generally these days, I just don't see much that I can't kill with Combofix and Spybot S&D, with perhaps a follow up scan by some AV program. Virtumondo.H has been one of the few things I've run across lately that Spybot and Combofix couldn't cure. But things change all the time. Tigger is very sophisticated, but it still uses a vulnerability that was patched a long time ago.

[Kodiak]

I have ran into some unusual issues here lately where none of the programs I like would install and run, combofix, spybot, mallwarebytes and in these cases I just do the full format and be done with it. Of course I back up there data. In some cases I have tried pulling the drive and scanning it with another machine and that doesn't even work.