Elusive Trojan Horse Targeting Financial Institutions

Jay Decenella, IT audit expert
May 12, 2011 /

A security vendor has claimed that a new Trojan horse responsible for the financial losses incurred by several North American financial institutions is barely detectable by major anti-virus programs.

“Sunspot”, which infects computers the way Zeus and SpyEye do, has been the cause of spotted financial fraud losses in some areas in North America with SpyEye and Zeus–like infection rates, Trusteer confirmed.

The malware comes hard on the heels of the Osama bin Laden Trojan horse that was launched in the wake of speculations that the notorious al-Qaeda leader had not been killed by the US elite forces, raising doubt in the public which has since been asking for his death images.

Security experts said the Trojan horse would ask users to first execute the application, just like any other software, before they can see the disturbing images. However, running the compressed file (named “Fotos_Osama_Bin_Laden.zip”) means granting access to cyber criminals to monitor the users’ online banking sessions, and worse, redirect their online payments to the accounts of other individuals.

But unlike the bin Laden hoax, Sunspot, which is said to target Windows, has been circulating for some time, but was never previously recognized for its financial fraud capabilities, according to Amit Klein, chief technology officer of Trusteer.

“Sunspot is another example of the growing list of financial malware that is flooding the Internet,” Klein noted, referring to several malware platforms detected by Trusteer over the past 18 months including Silon, OddJob and several others.

Trusteer revealed that Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts.

The Trojan horse is said to target Internet Explorer and Firefox browsers when it successfully installed.

According to Klein, analysis of the Virus Total found that only nine of 42 anti-virus programs tested, or 21 percent, has been detected so far.

“It can carry out man-in-the-browser attacks including web injections, page grabbing, key-logging and screen shooting (which captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard),” Klein added.

Trusteer has decrypted and analyzed the Trojan horse’s configuration, including instructions to execute the fraud-focused actions.

The in-browser web security specialist was able to trace Sunspot’s command and control server (C&C) hostname, which pointed to a domain registered in Russia.

“Once installed, Sunspot is started either by ‘rundll32.exe’ via HKCUSoftwareMicrosoftWindowsCurrentVersionRun or via HKLMSOFTWAREMicrosoftActive SetupInstalled Components. It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox),” Klein noted.

The Trojan horse then hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging, inside the browser.

Klein considered the Trojan horse interesting for two reasons.

“First, it reveals a new approach to financial malware development,” he said.

Klein argued that Sunspot “was not originally developed as crime ware,” in contrast to purpose built financial fraud platforms like Zeus, SpyEye, Bugat, and others.

Otherwise, there should have been “a sea change in malware development where general purpose and little know malware platforms are re-programmed to carry out financial fraud,” he said.

“Second, Sunspot illustrates an increasing emphasis by crime ware authors on payment card theft. We are seeing more and more malware asking victims for their credit and debit card information together with additional identifiable information,” Klein added.

He went on to explain that it would only allow cyber criminals to commit card non present fraud on the Internet and make it hard for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer.

Trusteer advised financial institutions to protect users against crime ware through a layered security approach combining server-side and client-side zero day attack protection, warning that anti-virus programs seem to lag behind in their ability to spot the Trojan horse and other malicious programs.


Share your opinion

SEO Powered By SEOPressor