January 15, 2008

A New Trojan Dubbed "Silentbanker "

A sophisticated banking Trojan nick named "Silentbanker" is spreading through the internet. The two major factor which make this trojan dangerous are Its targeting more than 400 banks and it has the ability to hijack most popular online authentication methods which most banks are using.

Once infected this Trojan downloads configuration files that contains the domain names of 400 banks which includes large American banks and also some major worldwide.

The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker's details instead. Since the user doesn’t notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan's code it can be seen that this feature is available to the attackers.


No comments: