ABSTRACT
Executive Summary On May 30, 2007, iDefense broke news of a new Trojan horse in the wild.* Anti-virus results gave no unique family name, prompting iDefense to temporarily name this code “Matryoshka” after its Russian origin. Attackers continued to distribute this Trojan horse for months with only minor changes to the list of institutions whose customers the Trojan targets. On December 17, 2007, an anti-virus vendor took notice of this Trojan, which they believed to be new.† Subsequent blog articles by this company gained the interest of reporters, and from there articles became increasingly disconcerting, which prompted an unprecedented level of customer interest over a Trojan that iDefense already analyzed. By dissecting every function of the Trojan, iDefense can present technical evidence that teams of reverse engineers and technical experts can use to clear up any ambiguity caused by press articles. In this regard, this document contains highly technical information. ose readers looking only for high-level details on the latest target list and mitigation should consider skipping to the configuration and mitigation sections.
