Symantec: Trojan has 400 banks on its hitlist

Summary:A Trojan dubbed Silentbanker targets more than 400 banks including the household names in the U.S.

A Trojan dubbed Silentbanker targets more than 400 banks including the household names in the U.S. and other financial institutions abroad and hangs in the background to intercept transactions with two-factor authentication, according to researchers at Symantec.

In a day full of the usual Trojan attacks (they all sort of look alike after awhile) the sheer versatility of Trojan.Silentbanker is notable. Symantec researcher Liam OMurchu writes in a blog post:

The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker's details instead. Since the user doesn’t notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan's code it can be seen that this feature is available to the attackers.

Silentbanker was reported by Symantec last month but deemed very low risk at the time. Now Symantec reckons Silentbanker may have more mojo.

Symantec notes that the Trojan adapts based on what it needs. It tries the easiest attack vector and then works up to the more difficult approaches. In other words, the Trojan.Silentbanker cribs whatever it needs--cookies, passwords, certificates, HTML--to get the goods.

While this Trojan is only targeting one bank in a "classic man-in-the-middle" attack it's capable of taking any passwords for multiple services. Toss in the ability to download updates and collect referrals for redirecting you to sites and this pup is quite versatile.

See the Symantec blog for the code and other details.

Topics: Banking, Malware, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.