Sykipot Trojan Improved to Hijack DoD Smart Cards

The attacks that use the Trojan originate from China

By on January 13th, 2012 10:23 GMT

Sykipot, the well-known Trojan that’s been targeting US companies since 2007, has been found by security researchers to have an improved version which is able to hijack smart cards utilized by the United States Department of Defense (DoD).

Researchers from AlienVault Labs reveal that cybercriminals attempt to penetrate security systems based on the protection measures implemented by the company they target.

If up until now attackers have been forced to rely on other vulnerable vectors because the authentication systems that relied on smartcards were hard to bypass, recent developments made to the Sykipot Trojan help them access an unauthorized system.

In spear phishing campaigns, the attackers send emails that contain a maliciously crafted PDF file. Once the file is opened, it deploys Sykipot onto the machine and uses a keylogger to steal the PINs of the cards that pass through the computer’s card reader.

In the timeframe during which the card is inserted into the card reader, the malware obtains the same rights as the authenticated user, possessing the necessary rights to access sensitive information that’s otherwise inaccessible.

The attack scenario that spreads using malicious PDF files makes use of a vulnerability found in Adobe Reader, but other methods could also be deployed with the same rate of success.

Trojans that target smartcards are not uncommon, but this particular attack variant originates from servers in China and targets the cards utilized by the DoD.

Due to the fact that unauthorized activity is performed only during the time in which the physical card is found in the card reader, these malicious operations are harder to detect and differentiate from legitimate ones.

“Although smart cards are designed to provide a two factor system of ‘chip and pin’, again we see that true two-factor authentication is not possible without a physical component that is not accessible digitally,” Jaime Blasco said.

Comments