Brute forcing your eBay account

We recently received samples of a new sophisticated Trojan which targets eBay user accounts. The Trojan uses a complex, multi-stage attack method, with the final stage using the eBay developer API in an attempt to brute force account information from eBay users.

The first stage of the Trojan is initiated when a user runs a file identified by Sophos as Troj/Haoba-A. This file connects to a third party website in an attempt to find out information about the victim including their IP address. This information along with other identifying data about the victim computer is then sent to the bot server. One interesting characteristic of Troj/Haoba-A is that it downloads a different set of instructions depending on whether or not the victim is located inside the United States.

Troj/Haoba-A drops a copy of itself in the Windows system directory and adds a registry entry so that the Trojan is run every time Windows starts.

Troj/Haoba-A also has downloader functionality which retrieves a bot component from the server and installs it on the victim computer. The downloader attempts to install the bot every time the computer is run. In this way the author can update the bot version on the victim computer at a time of his or her choosing.

The bot component (identified by Sophos as Troj/Ebbot-A) contains functionality to download username and password combinations from the bot server. Using the eBay developer API over SSL, bot clients attempt to connect to eBay servers and extract user account information using the credentials provided by the bot server. The bots use a brute force technique to acquire this information. In such an attack, an assailant attempts to defeat a password scheme by trying many or all passwords for a given username.

The attack is highly distributed, with each individual bot only attempting a small number of username/password combinations. This may be in an effort to avoid detection by making a large number of connections from a single computer.

I can only speculate on what the author does with the accounts once they are compromised. Some possibilities include placing fraudulent bids and selling fake items. Whatever the motivations are, this should be a wakeup call for home users and businesses to safeguard their personal data through the use of strong passwords and to use a security suite to protect against this and all other emerging threats.