27,024,307
Tigger is a Trojan that captures keystrokes and form submissions.
Keystrokes are captured through a kernel-level key-logger.
Form submissions are captured via hooking HTTP functions in Internet Explorer and in Firefox. Interestingly enough, the hooks are implemented as in-line patches of the second machine instruction in the respective function’s entry point (as opposed to the more traditional in-line patching which modifies the first instruction). Thus, many security products fail to detect that the function is in fact patched.
Captured data is sent to C&C server (POST request data is sent immediately, keystrokes are buffered and sent sporadically).
This analysis is based on an installer file whose MD5 hash is f945a45cf20722418a3036d557240b5d
