March 24, 2006 2:08 PM PST

Trojan horses steal bank details, passwords

Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.

The unrelated malicious programs, reported this week by security companies, represent new twists thought up by hackers in their development of Trojan horses, which are harmful programs disguised to look like innocent software.

Banks in the United Kingdom, Germany and Spain have been targeted by MetaFisher, otherwise known as Spy-Agent and PWS. After infecting a computer, the Trojan horse waits until the user visits a legitimate bank Web site, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.

As a result, those one-time PINs and transaction numbers are never logged onto the Web site and they remain valid, said Ramses Martinez, a director at security firm iDefense. The intruders likely store the data either for their own use or sell them on to others, he added.

The attackers attempt to place the Trojan on a computer using an exploit for the Windows Meta File flaw in Microsoft's Internet Explorer, according to a Symantec advisory. The potential victim must visit a malicious Web site to infect their system, and attackers may use e-mails to direct them there. A keylogger, which surreptitiously records the user's keystrokes, is installed on the computer alongside the Trojan.

Sana Labs discovered the other Trojan, which is distributed alongside a rootkit that hides it. The malicious software spreads via the Alcra worm, which directs infected Microsoft Windows PCs to Web sites where the programs are downloaded, Sana said. The Trojan is able to unearth passwords and usernames used previously on a machine and does not have to track keystrokes, according to Sana. The security company said it has discovered 37,000 usernames and passwords, the majority for social networking Web sites, on log files in 7,000 locations.

Once the malicious software is loaded onto a PC, it communicates with a Russian Web server, which stores the usernames and passwords gleaned by the Trojan.

Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said that as of Monday, only five security applications--UNA, VBA32, Sophos, NOD32 version 2 and eTrust-Vet--were able to detect the threat.

See more CNET content tagged:
trojan horse, malicious software, bank, rootkit, security company

6 comments

Join the conversation!
Add your comment
Enjoying the sound of crickets chirping?
I'm sure officials at banking, stock brokerage, and other financial
institutions that insist customers use Microsoft's internet explorer
and Windows are.

Shhhh! Whatever you do, don't comment on this article. After all,
you don't want to draw TOO much attention to this, now do you?
Posted by Terry Murphy (82 comments )
Reply Link Flag
Well, so much for logic
"I'm sure officials at banking, stock brokerage, and other financial institutions that insist customers use Microsoft's internet explorer
and Windows are."

What a moronic statement. I deal with three banks, two stock brokerages, and various other financial institutions (like Fidelity and Vanguard), do a lot of online handling of funds, and not ONCE has anyone from any of these businesses ever MENTIONED Internet Explorer, much less "insist" that I use it.

And please remember that the reason the lesser browsers haven't been subject to many attacks yet is the exact same reason Mac computers have remained relatively safe: The hackers simply don't give a damn about a piddly 5% of the market. If suddenly Firefox commanded 50% of the browser market, you'd be seeing "New Virus Exploits Hole In Firefox!" articles on C-Net every day of the week.

Making the assumption that Microsoft should be able to anticipate every possible trojan and virus BEFORE the hackers have even written them is the height of digital naivete. YOU wouldn't be able to do it -- so why do you insist that others should be able to? Because they're "professionals"? Well, so are the hackers! Like duh!
Posted by Joe Bolt (62 comments )
Link Flag
Now we KNOW..
Know what anti-virus companies are actually doing there jobs in
the form of keeping our society protected against such digital
criminal activities.

All of the companies stated in the article should be commended on
there service to society in keeping us protected. As for NORTON,
McAfree, and rest you need to step up!

~Justin
Posted by OneWithTech (196 comments )
Reply Link Flag
The antivirus companies are writing the vriruses!- To stay in business!
MORE SALES= HAPPY STOCKHOLDERS
Posted by baswwe (299 comments )
Link Flag
Another way to get people to visit
hackers often insert code an iframe set to load the malicious URL into otherwise legit websites.. When you visit the website, the iframe loads the page with the viruses and if your browser is vulnerable, the virus is installed. this method is much harder to prevent than the email links like the article mentions.
Posted by bobbutts (21 comments )
Reply Link Flag
another way to get visits
hackers often insert code an iframe set to load the malicious URL into otherwise legit websites.. When you visit the website, the iframe loads the page with the viruses and if your browser is vulnerable, the virus is installed. this method is much harder to prevent than the email links like the article mentions.
Posted by bobbutts (21 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.