Trojan horses steal bank details, passwords

Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.

The unrelated malicious programs, reported this week by security companies, represent new twists thought up by hackers in their development of Trojan horses, which are harmful programs disguised to look like innocent software.

Banks in the United Kingdom, Germany and Spain have been targeted by MetaFisher, otherwise known as Spy-Agent and PWS. After infecting a computer, the Trojan horse waits until the user visits a legitimate bank Web site, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.

As a result, those one-time PINs and transaction numbers are never logged onto the Web site and they remain valid, said Ramses Martinez, a director at security firm iDefense. The intruders likely store the data either for their own use or sell them on to others, he added.

The attackers attempt to place the Trojan on a computer using an exploit for the Windows Meta File flaw in Microsoft's Internet Explorer, according to a Symantec advisory. The potential victim must visit a malicious Web site to infect their system, and attackers may use e-mails to direct them there. A keylogger, which surreptitiously records the user's keystrokes, is installed on the computer alongside the Trojan.

Sana Labs discovered the other Trojan, which is distributed alongside a rootkit that hides it. The malicious software spreads via the Alcra worm, which directs infected Microsoft Windows PCs to Web sites where the programs are downloaded, Sana said. The Trojan is able to unearth passwords and usernames used previously on a machine and does not have to track keystrokes, according to Sana. The security company said it has discovered 37,000 usernames and passwords, the majority for social networking Web sites, on log files in 7,000 locations.

Once the malicious software is loaded onto a PC, it communicates with a Russian Web server, which stores the usernames and passwords gleaned by the Trojan.

Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said that as of Monday, only five security applications--UNA, VBA32, Sophos, NOD32 version 2 and eTrust-Vet--were able to detect the threat.

[Terry Murphy]

Enjoying the sound of crickets chirping?

I'm sure officials at banking, stock brokerage, and other financial
institutions that insist customers use Microsoft's internet explorer
and Windows are.

Shhhh! Whatever you do, don't comment on this article. After all,
you don't want to draw TOO much attention to this, now do you?

[OneWithTech]

Now we KNOW..

Know what anti-virus companies are actually doing there jobs in
the form of keeping our society protected against such digital
criminal activities.

All of the companies stated in the article should be commended on
there service to society in keeping us protected. As for NORTON,
McAfree, and rest you need to step up!

~Justin

[bobbutts]

Another way to get people to visit

hackers often insert code an iframe set to load the malicious URL into otherwise legit websites.. When you visit the website, the iframe loads the page with the viruses and if your browser is vulnerable, the virus is installed. this method is much harder to prevent than the email links like the article mentions.

[bobbutts]

another way to get visits

hackers often insert code an iframe set to load the malicious URL into otherwise legit websites.. When you visit the website, the iframe loads the page with the viruses and if your browser is vulnerable, the virus is installed. this method is much harder to prevent than the email links like the article mentions.