Korgo’s phishing activities were documented by F-Secure, which reports that the associated trojan is aggressively stealing user information from infected machines. “It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords),” writes F-Secure’s Mikko Hypponen. “It also logs everything the user types to any web form – this will collect lots of credit card numbers, passwords etc.”
That information is sent to one of 11 geographically distributed Internet Relay Chat (IRC) servers, including eight different servers on the Undernet IRC network, which claims to have 45 servers in 35 countries.
The emergence of phishing worms presents yet another reason for Windows users to be vigilant about patching their systems. Korgo’s victims, whose machines remained unsecured more than 45 days after a fix became available, ignored persistent calls to install patches. Only the security laggards were victimized this time. But as with any malware proof-of-concept, the attack agent is apt to arrive more quickly the next time an opportunity arises.