By ANDREW E. KRAMER
January 25, 2007
MOSCOW, Jan. 24 - Word has started spreading in Sweden about the
discovery last week of a $1 million online banking theft traced to a
Russian hacker who goes by the sobriquet the Corpse.
The case opens a window into the dark world of Russian programming and
underlines risks in online banking. Nordea Bank, the Scandinavian
financial services company involved, emphasized that only customers
whose computers were not protected by antivirus programs had become
The Swedish police said the virus was distributed with spam e-mail and
programmed to infiltrate home computers of customers at several European
and American banks. Police officers have arrested Swedish nationals and
foreigners who withdrew cash from Nordea branches after making online
The Corpses identity is unknown to computer virus specialists. The virus
in question, a so-called Trojan horse program, surreptitiously logged
keystrokes while banking customers entered their passwords.
The police identified the program as a variant of the Haxdoor Trojan.
The Corpse is thought to be the author of the original Haxdoor program
and several iterations, under names including A311 Death and Nuclear
Grabber. Those are offered for sale on a Russian Web site at prices
ranging from several hundred dollars to several thousand dollars,
depending on the version.
The site, which displays a thumbnail image of Lenin making a rude
gesture, offers to customize the software for clients for an unspecified
Thieves using the program in Sweden defrauded 250 customers of Nordeas
online banking service over a period of 15 months. The bank has
compensated its clients.
The case has drawn new attention to the bizarre world of Russian
hacking. Russias weak laws and a strong tradition of scientific
education have combined to create a flourishing culture of computer
hacking, specialists in the programming industry say.
The prevalence of pornography and fraud on the Russian Internet has
contributed to the countrys image as a digital Wild West of spammers and
hackers. And foiling Western banking security resonates with Russian
programmers, technology specialists say. Russian hackers are driven by
curiosity, greed or the desire to prove they are clever, said Denis
Kalinin, chief executive of Rambler, a successful Russian search engine
This latest version of the Haxdoor Trojan program was activated when a
customer typed the banks address into a browser. The rogue software then
recorded keystrokes to capture passwords. Later, money was transferred
to newly opened accounts and cash was withdrawn at bank branches.
Its a highly advanced form of I.T. fraud, and its never happened before
outside of industrial espionage, said Daniel Goldberg, a writer for
Computer Sweden, a technology magazine in Stockholm that first reported
the fraud, in a telephone interview Wednesday.
Aleksandr Gostev, a virus researcher at Kaspersky Labs in Moscow, said
the Corpse was known as a hacker who had sold programs to other hackers.
That meant, Mr. Gostev said, that he might not be connected to the group
that defrauded the Nordea bank customers, even if he were the author of
the keystroke-logging program.
In the case of Nordea bank, somebody who wanted to steal from clients
ordered a customized version, Mr. Gostev said. The hacker could be from
anywhere in the world.
The Corpses site carries a disclaimer in rough English that the programs
are to be used exclusively in the educational purposes. Questions mailed
to the site were not answered on Wednesday.
The Swedish police say that the Russian connection in the fraud goes
beyond the source of the virus.
Anders Ahlqvist, chief inspector in the cybercrime division of the
Swedish National Criminal Investigations Department, said in a telephone
interview that stolen passwords had been transmitted to a computer
server in the United States that forwarded the information to a server
Also, some of the money was sent to the eastern shore of the Baltic Sea
after the attack, he said, meaning Russia.
He played down the complexity of the virus, saying the fraud depended on
the carelessness of customers who downloaded it to their computers. If
people used a little common sense when they received e-mails, these
attacks would never appear, Mr. Ahlqvist said. This Trojan is very much
alive and well in computers in Sweden today. I would be surprised if it
wasnt. People are not careful enough with their machines.
And Mr. Kalinin said: When you are rich and you have enough of
everything, you usually dont do things harmful to other people. When
thats not the case, and you have to fight for a place to work and a good
life, but you are clever enough and you can show it, that is dangerous.
Copyright 2007 The New York Times Company
Subscribe to InfoSec News