Symantec: Trojan has 400 banks on its hitlist

Symantec: Trojan has 400 banks on its hitlist

Summary: A Trojan dubbed Silentbanker targets more than 400 banks including the household names in the U.S.

SHARE:
13

A Trojan dubbed Silentbanker targets more than 400 banks including the household names in the U.S. and other financial institutions abroad and hangs in the background to intercept transactions with two-factor authentication, according to researchers at Symantec.

In a day full of the usual Trojan attacks (they all sort of look alike after awhile) the sheer versatility of Trojan.Silentbanker is notable. Symantec researcher Liam OMurchu writes in a blog post:

The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker's details instead. Since the user doesn’t notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan's code it can be seen that this feature is available to the attackers.

Silentbanker was reported by Symantec last month but deemed very low risk at the time. Now Symantec reckons Silentbanker may have more mojo.

Symantec notes that the Trojan adapts based on what it needs. It tries the easiest attack vector and then works up to the more difficult approaches. In other words, the Trojan.Silentbanker cribs whatever it needs--cookies, passwords, certificates, HTML--to get the goods.

While this Trojan is only targeting one bank in a "classic man-in-the-middle" attack it's capable of taking any passwords for multiple services. Toss in the ability to download updates and collect referrals for redirecting you to sites and this pup is quite versatile.

See the Symantec blog for the code and other details.

Topics: Banking, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • The fact that...

    Symantec EVER considered this low risk is precisely why I have lost faith in Symantec AntiVirus.
    BitTwiddler
  • Reason 9765 not to use Windows

    The monoculture poised to claim several thousand more victims. Will you people ever learn.
    DarthRidiculous
    • The question becomes, will you ever learn?

      Sorry Gerald, your post are increasingly repetative to the point that you really do not understand much beyond the drivel that have become your posts of late?

      Reason 9765 to keep laughing at you. :)
      GuidingLight
    • Sux to be you...

      ...and so inept that you can't run a secure Windows environment.

      I guess presuming that if I can do it, anyone else can do it too.
      Confused by religion
  • Larry...

    What actions, if any, can/should users take to protect themselves from Silentbanker????

    Thanks
    D T Schmitz
  • Umm...this shouldn't take long to put a stop to.

    If the trojan is directing deposits into the attackers' account(s), will it not be fairly easy for the authorities to see who owns those accounts and arrest them? I can't see how this would work beyond the first few transactions with the guy(s) then getting outta town...please enlighten me if I'm that far behind in the banking and investigative/policing realms....
    Techboy_z
    • Not as simple as that

      Not as simple as that I'm afraid. Any scam that either steals logon details or makes payments is often combined with a seperate scam (including job offers, i.e. financial controller, accept our overseas payments for a commission, or Auction style scams where a larger sum is paid and the rest sent via western union)

      The account holder the funds goto then sends the money somewhere via an untraceable means (most often Western Union transfer) and is as much a victim (although often incredibly naive/stupid) as the person whos account they have emptied
      JimbobH
  • A security tip.

    I am not going to tell you to make this permanent, and you never have to say if you used it, but I give these out to everyone who uses Windows. NOTE: It works better with wired connections since you can't write to the CD (and hence nothing can ever infect it).

    Slide this in, boot up to do your backing and secure transactions, then boot back into whatever you are comfortable with.

    http://www.knoppix.org/

    for the more initiated, this will also leave you secure, and is more convenient.

    http://mostly-linux.blogspot.com/2006/10/part-1-of-4-linux-for-supernewbie.html

    TripleII
    TripleII-21189418044173169409978279405827
    • Good Tip

      You could boot into Ubuntu from CD as well.
      BanjoPaterson
    • Good Second Link, too (nt)

      ...
      BanjoPaterson
  • H4t3rz need not apply

    So, without the usual "Get a real operating system" spam, can anyone tell me if they know what specific Windows exploits they are referring to in the articles? I can't find that level of detail anywhere.
    piratetwins@...
    • It uses the biggest Windows exploit in the world...

      the Windows user. That they describe this as a "Trojan" suggests to me that the user has to willingly install it on their system. Theoretically, OS X has a security system in place that prevents users from willingly installing programs on their systems. I think they call it the "hourly kernel panic". :)
      NonZealot
  • And as usual...

    ...we are not given a list of the affected sites. Why even bother to report these things if you're not going to disclose which bank sites we need to steer clear of?
    Ginevra