Alliance Activities : Publications : Smart Card Alliance Discussion of Sykipot Trojan Attack

Smart Card Alliance Discussion of Sykipot Trojan Attack

On January 12, 2012, Alienvault Labs reported that they discovered a new variant of the Sykipot Trojan that would allow it to attack computers that use the Windows® operating system and PIN-protected smart cards that are used for multi-factor authentication to secure networks and information systems. This document was developed by the Smart Card Alliance to provide additional relevant information about this attack as it relates to the smart card present in the infected computer.

According to Alienvault, the attack was implemented as follows:

The Sykipot Trojan is like any malware that exploits computer software. Once it is covertly installed, it sits on a user’s computer and collects information from the user’s PC activity. This particular variant of malware captures the PIN-entry keystrokes that are responding to any application that prompts for a PIN (e.g., operating system logon, web browsers, middleware user interface), reads the
user’s certificates from the Windows key store, and then uses these credentials to login to protected resources.

This attack relies on the malware obtaining privileges from the compromised operating system to be recognized as a trusted application by the authentication system. The malware sits between the protected resource and the smart card and directs authentication requests to the authentication system, using the legitimate smart card to respond to these requests. The card must be present for the malware to access protected resources.

The attack can be prevented by cleaning the operating system, protecting the operating system against the malware, and updating or patching the software application that introduced the malware to the system. While integrity of the smart card was not compromised, credentials stored on the smart card may have been used for unauthorized transactions. The smart card PIN should be reset and, as a best practice, new public key certificates should be issued to the user, with the compromised certificates added to the revocation list and validation services.

Organizations need a comprehensive, layered security strategy to protect networks and information systems from increasingly sophisticated hackers. Key elements of security include:

Multi-factor authentication using smart cards provides the strongest security against unauthorized access to networks and information systems. For example, DoD has cited dramatic results from their implementation of the Common Access Card (CAC)–network intrusions falling 46 percent when the CAC was used to replace passwords. The recent Sykibot attack reaffirms the need for organizations to implement and continually monitor and upgrade security measures and to maintain an active education program for users.