Next-Gen Bank Trojans Are Upon Us

TORONTO — Banking Trojans are perhaps the most malicious form of malware today, with the express purpose of taking your money directly from your bank account.

Regardless of how much damage they may have done in the past, a new generation of banking Trojans is beginning to appear, and they’re game for even more pilfering, according to at least one security researcher.

Joe Stewart, senior security researcher at managed security firm LURHQ, detailed the evolution of the banking Trojan into its most malevolent form yet during the InfoSecurity event here.

There are the pre-2001 variety, which act as a general backdoor into a user’s PC. The hacker then enters through the backdoor and attempts to gain access to the user’s information that way.

Examples of such Trojans cited by Stewart include BackOrifice, which first appeared in 1998.

The second generation (2G) Banking Trojans are more targeted and come pre-packaged looking for specific information to automatically steal.

Take the “bancos” Trojan, a so-called 2G version with many variants. The number of variants and the actual nomenclature of the various Banking Trojans are not easy to determine, according to Stewart, since different anti-virus companies name the same things differently.

In the case of Bancos, Symantec currently has 26 named variants in its database.

The third generation (3G) of Banking Trojans actually provides for the automation of user activities, he continued.

Put it this way: The 3G Banking Trojan can steal your info and then siphon your account of its cash. The 3G Banking Trojan began with the “Win32.Grams” piece of malware, which first appeared in 2004.

Stewart recounted how he set up a fake user environment to reverse-engineer the 3G Banking Trojan and track how it hit its victim. In response to earlier Trojans that captured keystrokes, some banks implemented online keypads for customers to enter their passwords.

The idea was that if a customer just clicks on the keypad as opposed to typing it on their own keyboard that the actual password could not be stolen.

Turns out the banks were wrong.

The third generation Banking Trojan actually takes screen captures of a user’s PC. Stewart showed the results of his own analysis for the Trojan’s output in which the screen captured clearly showed the actual keys on the online keypad that were pressed.

Currently, 3G Banking Trojans are not widespread and are highly targeted in Stewart’s estimation.

The most attacked to date have been Brazilian banks, so most Americans don’t have too much too worry about yet but they will soon enough.

For the assembled security professionals that he was addressing, Stewart did note that system logs can help to identify when an automated 3G Trojan is active.

“Basically when a Trojan takes over IE or a browser, the user string will get a bit of text appended “.NET CLR” in the user-agent header,” Stewart said.

Other browser help agents (BHO) such as third party toolbars can also potentially yield the same user string though. But an automated Trojan does do something that a human typically can not.

“Look at the time logs,” Stewart advised. “If someone logs in and then one second later transfers money, you have a problem. You really have to keep your vigil up and watch for the attacks.”

Beyond just tracking logs, new software may well help stem future banking Trojan outbreaks. Windows Vista will provide new features that Stewart noted will make it harder for Trojans to do their dirty work. Some of them include improved firewalling, protected-mode IE, Windows Defender and less access to the kernel for rootkits.

News Around the Web