Symantec's security blog is reporting that banking Trojans have now gone way beyond the poorly-worded emails asking you to log in and "correct" your account information.
With the introduction of Trojan.Silentbanker , attackers can now intercept valid e-banking transactions that use two-factor authentication and grab your banking information. This trojan is targeting both major US and foreign banks (over 400) in many countries, and uses the following techniques:
Trojan.Silentbanker attacks all Windows versions from Windows 95 through Windows Vista. Using Firefox is no protection against this Trojan, as it hooks APIs used by both IE and Firefox. Learn more on the Symantec website.
A companion piece of malware, Downloader.Silentbank, continuously tries to download Trojan.Silentbank and tries to change security and firewall settings for various products. Although Symantec's website rates it as a "very low" risk, that assessment is based mainly on low geographic distribution. Obviously, if an unprotected system tangles with Trojan.Silentbanker, the risk to your money and your identity is high.
The master boot record (MBR) is an old target for malware. So old, in fact, that when some Maxtor external drives were discovered to have been infected with the MBR-targeting Virus.Win32.AutoRun.ah virus last fall , a Seagate spokesperson reportedly said "...I have never heard of a virus that lives the master boot record." Well, viruses and malware are still attacking the MBR.
The BBC is reporting that another e-banking threat, Trojan.Mebroot, replaces the normal MBR with a replacement MBR that contains a rootkit (enabling the threat to hide from normal operations), and then installs keyloggers targeting over 900 banking institutions. When you log into a targeting institution, the keyloggers go to work. Over 5,000 systems (mainly in Europe) have been infected thus far.
Symantec's Security Response blog offers a useful history of MBR-based threats , including the new MBR+rootkit threats typified by Mebroot. Mebroot can also be detected by Sophos as Troj/Mbroot-A , by McAfee as StealthMBR or StealthMBR/rootkit , and by Trend Micro as TROJ_SINOWAL.AD .