The Last Watchdog

on Internet security by Byron Acohido

Banking trojans infest Internet

Posted on | February 22, 2009 | 26 comments

turkojan-crop1Banking trojans are inundating the Internet.

These malicious programs lay in wait on your hard drive for an opportune moment to crack your online banking account — usually just as you log on. You can get them by clicking on a viral link to a greeting card or video that arrives in e-mail spam. Or by clicking to a web page that’s been corrupted by hackers.

By now, most Internet users are savvy about “phishing” e-mail scams that try to trick them you into typing login information at fake bank websites. So cyber thieves have shifted to spreading invisible banking trojans, which can steal data mulitple ways and require no action by the victim.

“It’s bascially phishing 2.0,” says Patrik Runald, security specialist at F-Secure. “Instead of giving you a fake page to get your logon credentials, they steal it directly from you.”

F-secure tallied 59,177 unique banking trojans circulating on the Internet in 2008, up from 15,969 in 2007 and 6,690 in 2006. The escalation partly underscores how intensively criminal hackers churn out new variants to escape detection by antivirus programs.

Brazilian spawning grounds

If you think the USA has it bad, consider Brazil.  The latest, greatest banking trojans invariably spawn in Brazil and subsequently spread world wide, much like the latest strain of flu virus often starts in Asia and circles the globe .

Here’s why: Back in the 1970s and 1980s, hyperinflation and economic chaos led Brazil to streamline its basic system for completing financial transactions. The new system, called Sistema de Pagamentos Brasileiro, or SPB, helped the South American nation restore its transactions infrastructure. But it also accelerated its citizenry’s dependence on online banking. Today 60% of Internet users in Brazil are online banking patrons, versus 23% in the United States, according to Colin Groudin, CEO of Grail Research. What’s more, Brazilians use their debit cards and file electronic tax returns much more than we do, Groudin says.

gunterollmann_crop1Quite naturally, the best-and-brightest malicious software coders and thieving cyber gangs swarmed Brazil like flies to honey. Brazil has emerged as one of the most hostile online environment in the world; in particular, it has become a hotbed for innovation in banking trojans, says Gunter Ollmann, of IBM Internet Security Systems. Brazilian banks have not just stood pat. Brazil is home to some of the most sophisticated security countermeasures on the planet. Banks have literally figured out how to conduct secure online transactions working under the assumption that 100% of customer machines are infected, says Ollmann

Criminals tool kits

The bad guys have had to keep innovating. Meanwhile, pioneering schemes that no longer work well in Brazil have found their way into underground commodity markets. Banking trojans that were cutting-edge in Brazil two years ago can be purchased today in commodity tool kits with names like “Turkojan Constructor” or “TrojanToWorm Creation Kit.” So any Joe Blow with average tech aptitude can become an online John Dillinger.

“Off the shelf technology give anyone the ability  to create a piece of malware and launch a banking trojan attack,” says Ollmann. “For a few hundred dollars you can purchase a tool kit and create your own customized malware to target a financial institution of your choice.”

The toolkits come with everything a criminal needs to carry out a basic attack, including software for spreading viral links in email spam or corrupting trusted web pages. The idea is to slip your banking trojan onto the hard drive of anyone who clicks on that viral email link or tainted web page.

A typical banking trojan remains dormant waiting for an opportune moment, usually when the victim logs on to a banking website. It then steals usernames and passwords by capturing keystrokes or copying the log-on page after the victim has filled it out. So-called “man-in-the-middle” trojans go further. One type injects additional form boxes asking the user to type in a Social Security number, mother’s maiden name, and other valuable data.

Another type reproduces a copy of the web page showing account balances – except with the balances altered to show the numbers the victim expects to see. This buys time for the thief to drain the account and hide his trail, says Ollmann.

mickey-boodaei-cropYet another type of man-in-the-middle trojan displays an official-looking banner notice asking the account holder to call a number to resolve a problem; a con artist answers and talks the victim into divulging Social Security numbers, mother’s maiden name and other data useful for future scams, says Mickey Boodaei, CEO of security firm Trusteer.

“You think you’re calling your bank,” he says. “A criminal gets all the information, then they can use this information to open a banking account or do a transaction on your behalf. And they got all this information from you.”

Modest protections

How effective are popular consumer antivirus suites in protecting against banking trojans?

“Modest,” says Jose Nazario, senior researcher at Arbor Networks. “The volume of malware and the technology they employ – and the incentive to avoid detection at all costs – means that most AV has only modest detection of these variants.”

There are other effective defense mechanisms available to U.S. consumers. But the U.S. banking industry, for the moment, is choosing  not to promote them widely.

Doug Johnson, vice president of risk management policy for the American Bankers Association, told me that financial institutions are required to have “additional levels of security,” and that most banks are meeting this requirement with technologies that “are transparent to the user.”

When I asked  Johnson for specific examples,  he cited a couple of systems banks use to make sure that online banking customer is logging on from his or her usual PC. He could not cite any specific protections against man-in-the-middle attacks, nor give me an estimate of how much the U.S. banking industry loses each year in unauthorized online banking transactions.

“Online banking, on balance, is safe,” insists Johnson.

Yet  U.S. banks continue to make it easy for crooks.  Most online accounts require only a username and password to gain access. Major banks in Brazil, across Europe and in parts of Asia additionally require a unique code generated by a key fob token or smart card, or sent via text message to the account holder’s cell phone. So-called “multiple factor authentication”  systems are available –  but not widely promoted — in the U.S.

brian-chess2-crop“Username and Password still rule the earth. It’s not that there aren’t better methods for authentication- there are, but stronger authentication schemes still come at the cost of added complexity, added cost, or both,” says Brian Chess, chief scientist at Fortify Software. ” Since many users don’t understand the risks they face, more complex authentication schemes can come off as an inconvenience. It would be great see wider adoption of token-based authentication schemes such as PayPal’s Security Key , but for true widespread adoption, the cost has to be lower and the benefits have to be better understood by the public.”

Trusteer has a nifty anti-theft system that works in the browser directly preventing man-in-the-middle attacks,  which it supplies to customers of ING Direct and several other banks. “Basically what it does is to block, specific types of attempts to access information and tamper with  information  in the browser, ” says Boodaei.

You can actually use a free version of Rapport and set up basic browser protection for the specific set of online banking and shopping websites you regularly use. This technology sounds like a silver bullet, at least in terms of protecting against banking trojans.

–Byron Acohido

Photos of  Gunter Ollmann, Mickey Boodaei, Brian Chess

Category: For consumers, For technologists, Imminent threats, Obama watch, Top Stories
Tags: > > > > > > > > >

Comments

26 Comments »

  1. Byron,

    Interesting and ingightfull post.

    Without trying to pitch Panda’s products, let me respectfully disagree with Jose Nazario’s quote when he says that the effectiveness of popular consumer antivirus suites in protecting against banking trojans? is only “modest”. He claims that “… the volume of malware and the technology they employ – and the incentive to avoid detection at all costs – means that most AV has only modest detection of these variants …”.

    At Panda Security, we have developed a technology designed to fight an ever-growing number of malware samples, as this is a trend we foresaw back in 2006. We have labelled this system Collective Intelligence and this is already available in our consumer products to better protect our customers.

    In addition, let me reference the following report that Pandalabs published last week “Bank details uncovered”, which may be interesting to you and your readers as it relates to this very same topic. You can find it here: http://www.pandasecurity.com/img/enc/Boletines%20PandaLabs4_en.pdf

    Juan.
    CEO, Panda Security

    Comment by Juan Santana — 2/22/2009 @ 6:37 pm

  2. Juan:
    Thanks much for your thoughtful input. On my list of things to do is an examination of antivirus suites for desktops/laptops. How effective are the blends of signature-based and behavior-based protections on the market today? Among the most well known suppliers of these suites, who’s doing what that’s most interesting and effective? The Trend and Cisco deal to move protection to the home router, is intriguing. AVG has been aggressive about including a Web scanning tool. What direction is the traditional desktop/laptop AV subscription suite business heading in the next two years, with malware threats continuing to rise exponentially as Panda Labs’ stats show?
    Byron

    Comment by bacohido — 2/24/2009 @ 8:10 am

  3. Good stuff Byron. I spent several years in the financial sector both as a vendor and customer. I know online banking has come a long way but there are still issues. I usually recommend a couple of different strategies for protecting yourself online. If possible use a dedicated PC that is not used for email, web surfing, etc… Use it for shopping, banking and other things that require higher security. Also, just be careful what you do online. Be aware of the sites you visit and don’t click on links unless you verify them. Obviously, practice common sense w/ email and such. Type in the URL by hand instead of relying on a shortcut that could become compromised. Before entering logon credentials look at the site to ensure that it is really what you think it is. Lastly, use a personal firewall that filters inbound and outbound connections and traffic along with a good, up to date AV product.

    Comment by Andy Willingham — 2/24/2009 @ 8:50 am

  4. Aloha Byron,

    Enjoyed reading your Zero Day Threat book. If you are looking for a security forum, Wilders is a great venue.

    http://www.wilderssecurity.com/forumdisplay.php?f=35

    You might want to also check Matt’s reviews where he actually performs anti-malware tests via Youtube.

    http://www.wilderssecurity.com/forumdisplay.php?f=35

    Comment by Miyagi — 2/25/2009 @ 7:48 pm

  5. Sorry for double post. The 2nd url is this:

    http://www.youtube.com/profile?user=mrizos&view=videos

    Comment by Mark — 2/25/2009 @ 7:49 pm

  6. Hi,

    thanks for this great article…

    I’m using TrustDefender which helped me detecting a silentbanker infection on my PC.

    Their blog (http://www.trustdefender.com/blog/) has lots of technical information.

    Comment by alex — 2/26/2009 @ 11:42 am

  7. Byron,

    My thoughts on the effectiveness of the blend of signature-based and behavior-based protections on the market today, I would say that for the most part the blending of the technologies is standard amongst vendors and it does work. Of course there are always exceptions to the rule. For instance, many of our customers come from our competitors after their computer or network has already been compromised. Is this an engine, technology, or a resource failure? Well, it’s hard to tell because there are many factors, but in many cases cybercriminals develop malware to subvert the technology of larger vendors, leaving the end users open to attack.
    The biggest problem we tackled at Panda was not an engine or technology problem, it was a resource issue. When malware authors start to produce and distribute thousands of unique samples with the click of a button, it becomes a huge task to address. Our Collective Intelligence system automatically processes malware and creates signatures for over 99% of the 25,000 samples (avg) we receive on a daily basis. What do we do with the spare time? We’re developing the next innovative technology, of course ; -)

    On who’s doing what that’s most interesting and effective, I think that many vendors are currently mixing and adding small improvements to their engine functionality but we are not seeing any major technological advancement. In the next two years I expect to see more vendors integrating automated malware classification systems and cloud services into their core product lines.

    Juan

    Comment by Juan Santana — 2/27/2009 @ 7:39 am

  8. We’ve been using Linux desktops and servers at home and work for approximately the last 10 years and we’ve never had a virus or spyware. Or the need for anti-virus or anti-spyware. One misconfiguration (improper/not set up daemon (server application) due to lack of experience very early on did result in a rooted web server (measured in hours, not days, and the application was installed for learning about it, which didn’t belong on a web server, and ssh was used to attack the application, succeed in logging in and then escalating) but the forensic analysis of that incident was an invaluable learning lesson (and an end user wouldn’t be running a web server any way, otherwise we can compare current linux/apache with windows/iis). Since then an internet web server along with all desktops and internal servers have been rock solid (server uptimes measured in years, desktop uptimes measured in years ((not counting rarely required reboots for video card updates early on, or desktops shut down to save electricity where possible, ie, weekends on non-essential desktops)), reliable and unpenetrable. The only issues have been from a single desktop user who insists on using Windows. And the necessity of booting into Vista to install bios updates on dual-booting laptops (can’t blow away windows because it’s required for bios updates and if a warranty issue crops up during the warranty period).

    The biggest eye-opener comes from the occasional new employee who doesn’t know they aren’t using windows since their desktop only shows a few custom icons for the specific applications they need to use during the day and their desktops are normally always open to those specific applications and nothing else. The only thing they need to get used to is not closing their applications and shutting down the computer at the end of the day, instead they keep their apps open, their current work is saved but not shut down, and they get to start again the next day exactly where they left off the evening before. And the employees who come from other businesses who are still using Windows 95, Windows 98 (and for rebooting purposes to a lesser extent Windows XP, or even Windows for Workgroups who also used Windows 95/98), and who are used to rebooting after breaks or lunch or the afternoon because their desktop slows down after some hours of use, and who wonder why they never blue screen anymore.

    Comment by Joe Sixpack — 3/4/2009 @ 12:48 am

  9. in the ongoing race between virus bakeries and antivirus chemists, will there ever be a reverse movement? wont the bakers always be up front? isnt the blame to see at the banks and insurance companies? when I have 1.5 million identity sets with creditcard, PIN, mothers maiden name, dogs haircolour, etc…and send them to the CC companies, then check 6 months later to find those numbers are still being used but the owners ( whose tel# I have of course and call) are NOT being billed because they blocked the number 6 months ago!!! What the heck is going on? its the CC processors and banks who offload the loss to either insurances or certain “pots” !!!! The numbers continue to work because the processors dont give a wet poop !!!
    who is paying this in the end ???

    Comment by roflem — 3/22/2009 @ 6:38 am

  10. The info you’ve given is spot on, believe me, I’ve been doing my research and you’re info is some of the best out there.

    Comment by bank online — 6/29/2009 @ 5:44 pm

  11. Looking forward to reading more. Great article.Much thanks again. Great.

    Comment by Wyatt Mclellan — 2/19/2012 @ 3:28 am

  12. AVG has been aggressive about including a Web scanning tool.

    Comment by Danna Helm — 4/20/2012 @ 3:07 am

  13. How intensively criminal hackers churn out new variants to escape detection by antivirus programs.

    Comment by Celena Ligon — 10/11/2012 @ 11:49 pm

  14. Or by clicking to a web page that’s been corrupted by hackers.

    Comment by Allegra Ingle — 10/12/2012 @ 12:02 am

  15. Which can steal data mulitple ways and require no action by the victim.

    Comment by Thomasine Slagle — 11/3/2012 @ 4:17 am

  16. Which can steal data mulitple ways and require no action by the victim.

    Comment by Sherly Rand — 11/3/2012 @ 4:39 am

  17. Or by clicking to a web page that’s been corrupted by hackers.

    Comment by Sharyl Osullivan — 11/6/2012 @ 2:32 am

  18. Instead of giving you a fake page to get your logon credentials, they steal it directly from you.”

    Comment by Robert Crisp — 11/10/2012 @ 1:12 am

  19. The escalation partly underscores how intensively criminal hackers churn out new variants to escape detection by antivirus programs.

    http://www.entertainingasia.com/

    Comment by Hedy Hynes — 12/14/2012 @ 4:17 am

  20. Or by clicking to a web page that’s been corrupted by hackers.

    http://www.trevorjonesvo.com/

    Comment by Julianne Ruff — 12/17/2012 @ 12:30 am

  21. How intensively criminal hackers churn out new variants to escape detection by antivirus programs.

    http://topratediamonds.com/

    Comment by Katy Carrasco — 12/18/2012 @ 1:55 am

  22. Which can steal data mulitple ways and require no action by the victim.

    http://www.art-4u.co.il/1/post/2012/06/2.html

    Comment by Cicely Bedard — 12/22/2012 @ 1:01 am

  23. Or by clicking to a web page that’s been corrupted by hackers.

    http://www.lanafurniture.com/aico/

    Comment by Delicia Cochrane — 12/22/2012 @ 1:04 am

  24. The escalation partly underscores how intensively criminal hackers churn out new variants to escape detection by antivirus programs.

    Comment by Irish Rawlins — 2/12/2013 @ 1:27 am

  25. Which can steal data mulitple ways and require no action by the victim.

    Comment by dentist texas — 4/13/2013 @ 12:37 am

  26. AVG has been aggressive about including a Web scanning tool.

    Comment by sonomacouplesworkshops — 4/15/2013 @ 1:44 am

RSS feed for comments on this post.

Leave a comment

Search Last Watchdog

Navigate Last Watchdog