From Russia With Larceny

Finjan, a developer of Web security products, has found what has to be the nastiest of malware yet because it inserts itself into a legitimate online banking transaction that’s supposed to be protected by SSL encryption.

The company is calling this new form of thievery “crimeware,” as if we needed another term to keep straight, but it’s nasty stuff. In just the month of July, Finjan identified 58 criminals using the MPack toolkit to infect over 500,000 unique users.

MPack may be the most dangerous malware development kit seen yet. It is a PHP-based kit produced by Russian hackers for building mostly keylogging software. It’s actually sold and supported by the Russians, complete with a service contract for new versions, and is upgraded every two to four weeks. It’s not the first time a service contract has been offered for software that supports the spread of malware.

What makes MPack so nasty is that people using it hide it not on porn sites or sites with cracks and serial numbers for software, but on legitimate news and information sites that people just don’t think will be infected. Earlier this year, the Web site for Dolphin Stadium, site of the Super Bowl, was compromised.

The goal of these Trojans is theft of intellectual property, as well as your bank account. “We’ve seen Trojans that were looking for AutoCAD files,” Yuval Ben-Itzhak, CTO for Finjan, told

“What info could you want there? Likely product designs. We’re not always sure what is the exact interest in collecting this data, but if someone wrote this software, tested it and deployed it, they probably have a good reason to send it out,” he added.

But the worst that Finjan has seen as yet involves an MPack-based Trojan that inserts itself into the online banking page of a popular bank – Finjan was asked not to disclose which banks – and asks for additional information than just the login and password.

According to Finjan, the crimeware it’s seen on user’s computers can recognize which bank Web site they were on and would intercept communication between the client and server to insert data entry boxes onto the Web page. The false data entry boxes mimicked the exact style of the bank so they looked totally legitimate, except they asked for things like credit card numbers with the CVV, social security numbers and ATM PINs.

If the user was not so eagle-eyed and entered the information, they would never know they were robbed, as the legitimate logon information was sent to the bank, so the transaction continued as normal, while the extra, stolen information was sent elsewhere.

All of this worked while the user has established a secure connection to the bank via SSL . In fact, the SSL connection was also used to send the stolen information, which Finjan traced to a server in Panama.

“In all of my years in computer security I’ve never seen anything like it, it was so well-done,” said an astonished Ben-Itzhak. He said the MPack-based crimeware can even remove itself from your computer so you never knew it was there.

What Ben-Itzhak found troublesome was the lack of detection for MPack. In July 1, Finjan queried VirusTotal, a Website that tracks more than 30 antivirus programs and determines which are able to detect a piece of malicious code and which don’t see it. Only six of the 32 recognized it.

When he checked again on July 29, it was still only vendors that saw it. Fortunately, two of the six were Panda Software and Symantec, which are widely used in the enterprise.

Other security vendors need to get on the stick, because MPack is “getting huge visibility in the market. It’s being used everywhere,” said Ben-Itzhak.

News Around the Web