Regional banking Trojans sneak past security defences
Under the radar
Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences.
Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud.
Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US.
The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems.
Trusteer reckons the crooks behind the attack are using UK-centric spam lists and compromised websites to spread the malware while staying under the radar of security firms. It compares this process to the shift from mass assaults to targeted strikes in corporate espionage-motivated attacks such as Operation Aurora, which struck Google and other hit-tech firms last year.
"Unlike known malware kits such as Zeus, Torpig, and Ambler which simultaneously target hundreds of banks and enterprises around the world and are on the radar of all security vendors, regional financial malware such as Silon.var2 and Agent.DBJP are highly targeted," said Mickey Boodaei, Trusteer's chief exec.
"In the UK, each campaign would usually focus on three to seven banks and target them for a period of six to nine months and then morph and change the list of targets, using a new more advanced version of the malware.”
Regionally-targeted malware has also cropped up in South Africa and Germany over recent months. A strain of malware called Yaludle, almost unseen outside Germany, has been used to target the online banking credentials of German surfers. Trusteer is urging banks to share information on targeted attacks locally as well as working with regulators and local law enforcement agencies to shut down command and control servers associated with regionally-targeted malware. The firm, naturally enough, also wants to persuade more banks to use its Rapport secure browsing software as a way of providing an extra defence against fraud.
Trusteer's Rapport browser lock-down technology is offered as a voluntary download by 50 banks worldwide, including NatWest and HSBC in the UK. The technology is offered alongside a remote forensics service, called Flashlight, designed to allow banks to diagnose whether a client's PC has been infected with malware following incidents of suspected fraud. Flashlight allows banks to collect samples, identify cybercrime command servers and block further attacks.
“Silon, DBJP, and other regional financial malware have been identified through Trusteer's Flashlight service and analysis and investigation results have been shared between participating banks,” explained Amit Klein, CTO of Trusteer. "If a bank in a specific region experiences fraud from a new piece of regional malware there is an 80 per cent chance that other banks in the same region will experience in the near future similar losses from this malware," he added. ®
It's slightly more of a hassle (ie a reboot when you need to do some banking), but windows users should really consider using a Linux live cd to boot into for banking transactions.
unless your bank insists you use IE6 of course.
What is new about it?
These kind of attacks have been observed since more than ten years. The idea behind is to publish many different implementations of the same or very similar malware, each implementation is spread very seldom (10 to 50).
So this malware will be always hidden under the RADAR of most security firms as occurrences of each are too few to trigger any reaction.
Often far worse compromised systems are regarded clean and trustworthy, as magic scanner xyz did not reccoggnize an malware on them --- with desastrous results.
Assembler/machine language gave as the first option to implement polymorphous code, the macro language(s) of the Office packets made it easier, and JRE includign JIT gave us a working development enivronment on every PC for polymorphous malicious code?
I dont Like Rapport
Rapport seems to just make systems very unstable to the point of making them slow to an unusable crawl
I seen it happen on Mine, my friends, my parents PCs where its been installed and just made the systems unusable then I get the call "My PC running slow, and unusable at times"
After removal of the Vile software the systems fixed
its down in my book as Security bloat ware for what it is
it uses stupid amounts of RAM and CPU even if your browser is Not Running