UK users targeted by banking Trojan
Published: 27 Mar 2006 09:05 BST
Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.
The unrelated malicious programs, reported this week by security companies, represent new twists thought up by hackers in their development of Trojans, which are harmful programs disguised to look like innocent software.
Banks in the UK, Germany and Spain have been targeted by MetaFisher, otherwise known as Spy-Agent and PWS. After infecting a computer, the Trojan horse waits until the user visits a legitimate bank Web site, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.
As a result, those one-time PINs and transaction numbers are never logged onto the Web site and they remain valid, said Ramses Martinez, a director at security firm iDefense. The intruders are then likely to store the data either for their own use or sell them on to others, he added.
The attackers attempt to place the Trojan on a computer using an exploit for the WMF flaw in Internet Explorer, according to a Symantec advisory. The potential victim must visit a malicious Web site to infect their system, and attackers may use emails to direct them there.
Sana Labs discovered the other Trojan, which is distributed alongside a rootkit that hides it. The malicious software spreads via the Alcra worm, which directs infected Microsoft Windows PCs to Web sites where the programs are downloaded, Sana said. The Trojan is able to unearth passwords and usernames used previously on a machine and does not have to track keystrokes, according to Sana. The security company said it has discovered 37,000 usernames and passwords, the majority for social networking Web sites, in log files in 7,000 locations.
Once the malicious software is loaded onto a PC, it communicates with a Russian Web server, which stores the usernames and passwords gleaned by the Trojan.
Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said that as of Monday, only five security applications — UNA, VBA32, Sophos, NOD32 version 2 and eTrust-Vet — were able to detect the threat.
Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.
The unrelated malicious programs, reported this week by security companies, represent new twists thought up by hackers in their development of Trojans, which are harmful programs disguised to look like innocent software.
Banks in the UK, Germany and Spain have been targeted by MetaFisher, otherwise known as Spy-Agent and PWS. After infecting a computer, the Trojan horse waits until the user visits a legitimate bank Web site, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.
As a result, those one-time PINs and transaction numbers are never logged onto the Web site and they remain valid, said Ramses Martinez, a director at security firm iDefense. The intruders are then likely to store the data either for their own use or sell them on to others, he added.
The attackers attempt to place the Trojan on a computer using an exploit for the WMF flaw in Internet Explorer, according to a Symantec advisory. The potential victim must visit a malicious Web site to infect their system, and attackers may use emails to direct them there.
Sana Labs discovered the other Trojan, which is distributed alongside a rootkit that hides it. The malicious software spreads via the Alcra worm, which directs infected Microsoft Windows PCs to Web sites where the programs are downloaded, Sana said. The Trojan is able to unearth passwords and usernames used previously on a machine and does not have to track keystrokes, according to Sana. The security company said it has discovered 37,000 usernames and passwords, the majority for social networking Web sites, in log files in 7,000 locations.
Once the malicious software is loaded onto a PC, it communicates with a Russian Web server, which stores the usernames and passwords gleaned by the Trojan.
Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said that as of Monday, only five security applications — UNA, VBA32, Sophos, NOD32 version 2 and eTrust-Vet — were able to detect the threat.
Did you find this article useful?
114 out of 213 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
