Smart New Malware Targets E-Banking: Are You Ready?

Silently Stealing Your Money

Symantec's security blog is reporting that banking Trojans have now gone way beyond the poorly-worded emails asking you to log in and "correct" your account information.

With the introduction of Trojan.Silentbanker, attackers can now intercept valid e-banking transactions that use two-factor authentication and grab your banking information. This trojan is targeting both major US and foreign banks (over 400) in many countries, and uses the following techniques:

• - man-in-the-middle attack (intercepts and redirects valid transactions)
• - steals usernames, passwords, cookies used by e-banking sites
• - adds HTML code to legitimate e-banking login forms to steal information
• - steals FTP, POP, webmail, protected storage, cached passwords
• - can convert infected machine as a proxy or web server
• - is being updated on a daily basis to add new targets
• - changes DNS servers to make attacks easier

Trojan.Silentbanker attacks all Windows versions from Windows 95 through Windows Vista. Using Firefox is no protection against this Trojan, as it hooks APIs used by both IE and Firefox. Learn more on the Symantec website.

A companion piece of malware, Downloader.Silentbank, continuously tries to download Trojan.Silentbank and tries to change security and firewall settings for various products. Although Symantec's website rates it as a "very low" risk, that assessment is based mainly on low geographic distribution. Obviously, if an unprotected system tangles with Trojan.Silentbanker, the risk to your money and your identity is high.

Mebroot's Targets: the Master Boot Record - and Your Money

The master boot record (MBR) is an old target for malware. So old, in fact, that when some Maxtor external drives were discovered to have been infected with the MBR-targeting Virus.Win32.AutoRun.ah virus last fall, a Seagate spokesperson reportedly said "...I have never heard of a virus that lives the master boot record." Well, viruses and malware are still attacking the MBR.

The BBC is reporting that another e-banking threat, Trojan.Mebroot, replaces the normal MBR with a replacement MBR that contains a rootkit (enabling the threat to hide from normal operations), and then installs keyloggers targeting over 900 banking institutions. When you log into a targeting institution, the keyloggers go to work. Over 5,000 systems (mainly in Europe) have been infected thus far.

Symantec's Security Response blog offers a useful history of MBR-based threats, including the new MBR+rootkit threats typified by Mebroot. Mebroot can also be detected by Sophos as Troj/Mbroot-A, by McAfee as StealthMBR or StealthMBR/rootkit, and by Trend Micro as TROJ_SINOWAL.AD.

Stopping the Threat

These new threats can be detected and removed by up-to-date antivirus software, but are hard to stop if your antivirus and antimalware software programs are even a little out of date (or missing in action): these threats were detected just this month. Make sure you're using up-to-date programs and signature files, and as our own Will Smith says, "think before you click!"