New Crimeware Kit Converts Trojan to a Worm

Easy-to-execute and spread, worm-borne Trojan attacks could camouflage more sinister targeted hacks

Dark Reading Staff, Dark Reading

June 19, 2008

2 Min Read
Dark Reading logo in a gray background | Dark Reading

A newly discovered crimeware toolkit transforms an executable file into a worm so that it can self-replicate and spread malware more readily.

Ryan Sherstobitoff, chief corporate evangelist for Panda Security USA -- which found the toolkit -- says while there are plenty of Trojan-making kits out there, this is the first Panda has seen that turns a Trojan into a worm.

“This makes existing malware spread more quickly to other PCs,” Sherstobitoff says. “An identity-stealing Trojan doesn’t normally self-replicate and turn into a worm and then get pushed out through botnets and Web infection vectors" like this type of attack, he says.

The Trojan2Worm (T2W) toolkit is a point-and-click tool that doesn’t require much technical know-how to use, and appears to have been created in Spain, according to Panda. Panda hasn’t spotted any Trojan-morphed worms yet in the wild, however.

Sherstobitoff says the toolkit is aimed at making it easier for script kiddies to launch such widespread attacks that could then be used to distract victims from more nefarious and dangerous targeted attacks launched by more sophisticated hackers. “The whole idea is to be a deliberate distraction for advanced hackers who want to do serious crime like data breaches. They have the script kiddies focus on this [Trojan-to-worm based attack] to make a lot of noise,” he says. “If you ring all of the alarms in some building, it will be difficult to determine where to send the guards.”

A Trojan-turned-worm spreads much faster than a traditional Trojan. Once one machine is infected, an entire group of desktop machines connected to that same network share environment, for instance, would quickly get infected by the worm -- without having to open a Trojan-laced attachment in an email or visit an infected Website. “Someone could get an email attachment with the newly formed worm, it executes on his desktop, and then spreads through all of the network shares. So anyone mapped to those drives gets infected,” Sherstobitoff says.

“Someone can take a Trojan that normally would infect a single PC and now make [it] infect that PC” as well as all others in that network, he says.

The T2W toolkit has some flashy features, too -- file compression and the ability to mutate its contents, according to Panda. It also lets the bad guy select a date of infection and disable some options in Windows Task Manager and Windows Registry Editor, as well as in most browsers.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights