Microsoft on October 25 added the Poison Ivy remote access tool (RAT) to its automated malicious software removal tool for Windows machines, reflecting heightened concerns over a malware kit that has been around since 2005.
Microsoft added Poison Ivy just ahead of the London Conference on Cyberspace where Symantec announced the so-called "Nitro attacks" which used the RAT in dozens of intellectual property thefts aimed at the chemical industry between June and September this year.
The latest official version of Poison Ivy was released in 2008, according to Microsoft. While various English versions of the tool have been around for years, the one used in the Nitro attacks was developed by a Chinese speaker and, according to Symantec, was used by a "20-something" year-old hacker in China.
The latest incarnation of Poison Ivy offers users encrypted communications, the ability to browse files remotely, capture screen shots, audio and video, steal passwords, log key strokes, and run proxy services.
The malware typically employs "packers" to hide itself, a common technique used to obfuscate executable files. Packers are a problem for the security industry and due to the sheer volume of malware for Windows, the IEEE recently proposed to tackle their abuse by establishing a key-based registry that would allow security vendors to focus efforts on non-compliant packers.
Besides the chemical industry, analysts at Finnish security vendor, F-Secure believed that some version of the same tool were thought to be used in the attacks on RSA's SecurID authentication system earlier this year, although this has not been been confirmed by RSA.
There are many versions of Poison Ivy available and a healthy support community, as well as customised encryption features that suggested those responsible for selling and maintaining it treat the software as a service, according to Microsoft.
There are commercial and free versions, with some, such as version 2.3.0 purported to be "undetected, unique versions of Poison Ivy". The most recent official version is 2.3.2, said Microsoft.
The malware kit uses a client-server architecture, where the target system becomes a server, configured to the attacker's needs, while the client interface is used to control to the server remotely.
"[T]his allows the operators to utilise hardware, such as the microphone or camera to eavesdrop on conversations in the same room as the compromised device, browse the file system and steal data, enable a keylogger, modify the registry, enumerate the system in a variety of ways, and so on," Microsoft pointed out.
In recent times the tool has relied on flaws in Adobe's Flash Player, Acrobat and Reader to gain a foothold in target systems, as well as a range of vulnerabilities in Microsoft Office products such as Excel, Word, and Power Point.
One of Poison Ivy's unique features, according to Microsoft, was that much of the developer's additional features were documented over time "in a semi-public fashion", and used methods standard to the software industry to attract developers.
Version 2.3.0, for example, included a plugin that allowed other developers to create custom modules that run on infected machines.
Microsoft has removed the trojan from about 16,000 computers since it added it to its software removal tool for Windows.