Trojan-to-worm toolkit helps advanced hackers go undetected

Researchers at Panda Labs have discovered a free toolkit that allows users to turn any executable file into a worm.

The tool, believed to originate in Spain, is simple to use and can be designed with various functionality, according to Panda. The application, known as T2W, or TrojanToWorm, can be customized to disable certain operating system components, such as Task Manager, Windows Registry Editor and web browsers.

"The scary part is that you can take existing stealth-based malware and actually make it a worm," Ryan Sherstobitoff, chief corporate evangelist for Panda Security, told SCMagazineUS.com on Wednesday. "Now you can infect hundreds of desktops. That's the really scary part. Taking something that's already really dangerous and making it self-replicate."

But experts say the application, more than anything, is a deliberate design aimed at inexperienced hackers, known as script kiddies, so more sophisticated hackers can continue to fly under the radar and commit silent but destructive data breaches.

The idea is to create as much noise as possible so corporate IT security departments get distracted dealing with these incidents, Sherstobitoff said. That is why the toolkit -- and many others like it -- is being offered for free in underground forums populated by script kiddies.

"This is a way to get their real clever attacks unseen for as long as possible," he said. "They can get away with breaching a Hannaford or a TJX and nobody will notice because they're too busy killing the script kiddies who are creating malware."

Even though the toolkit can create a worm, it is unlikely to result in a dangerous threat because most identity-theft malware is "beyond the capability of a script kiddie," Sherstobitoff said.

Sam Curry, vice president of product management for identity and access assurance at RSA, said the strategy of creating "noise" has been around for many years but only recently has the motivation turned financial.

"We're seeing a proliferation of a lot of tools," he told SCMagazineUS.com on Wednesday. "The more noise there is, the less likely someone is to get caught. If all the alarm bells in your building go off at once, where do you send the security guard?"

Curry said many of these toolkits are placed in underground forums, which are created by the most advanced cybercriminals, but frequented by low-level hackers.

"They think they're hanging with the tough crowd, but they're actually just the stool pigeons and distractions," Curry said. "It's actually pathetic in a way."