Vulnerabilities / Threats
12:49 PM

Banking Trojan Harvests Newspaper Readers' Credentials

Financial malware performs brute-force guesses of valid usernames and passwords, possibly for attacks against consumer bank accounts.

Beware financial malware that's trying to harvest usernames and passwords from a major newspaper's website.

That unusual warning comes by way of security firm ESET, which said it's observed financial malware known variously as Gataka and Tatanga being used in four recent attack campaigns. Targets include banks in Germany and the Netherlands, as well as an attack that's "trying to obtain accounts on a major U.S. newspaper's website by performing brute-force guesses of usernames and their passwords," said Jean-Ian Boutin, a malware researcher at ESET. "If this process is successful, the account information could possibly then be used to harvest private information or access paid content."

In all the campaigns, ESET observed the malware connecting with between three and ten different hacked Web pages, which served as proxies for the botnet's command-and-control (C&C) server. Boutin estimated that the underlying botnet contained "somewhere between 20,000 and 40,000 infected hosts," with the vast majority of compromised--or zombie--PCs located in Germany.

The Gataka malware itself was first detailed by S21sec in February 2011. The security firm dubbed the Trojan application, written in C++, as being "rather sophisticated" given its ability to hide on infected systems. It does that in part by downloading encrypted modules--in the form of DLL files--after it infects a system. According to S21sec, these modules or plug-ins offer additional functionality and are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software.

[ A two-year investigation ends in charges for 28 people for stealing financial and other personal information. Read about it at FBI Busts Massive International Carding Ring. ]

"In fact, when only the main component is present, there is not much functionality available to the bot-master," said ESET's Boutin. In addition, the malware in many cases also downloaded HTTP injection configuration, providing customized attack capabilities for targeted sites.

S21sec has likened the malware, aimed at banks in Germany, Portugal, Spain, the United Kingdom, to SpyEye, noting that "it can perform automatic transactions, retrieving the mules [the latest information on details of legitimate bank accounts used by criminals and their money mules to launder stolen funds] from a server, and spoofing the real balance and banking operations of the users."

"Depending on the targeted bank, the Trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction [succeed] in the user session," said S21sec. "In some cases the requested credentials include the [over the phone] mobile key," meaning the malware can run a social-engineering attack to trick users into sharing a one-time PIN sent by their bank, to be used to authorize a transaction initiated by the malware.

Once the malware infects a system, it can also grab email addresses, detect and delete other installed malware--including Zeus--encrypt its communications with C&C servers, and record all HTTP traffic. To do that, a malware module known as Interceptor creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined, according to ESET. "In the case of HTTPS traffic, fake certificates--encrypted in the plug-in resources--are used between the client and the proxy server," ESET explained. "The browser certificate checking functions are also patched, in an attempt to hide to the user that fake certificates are used."

The malware also offers both 32-bit and 64-bit support, defenses against virtual machines, blocks Trusteer Rapport in-browser security software from being downloaded, dumps online banking pages and sends them to the C&C server to facilitate future attacks, records lists of sites visited--and on designated sites, also video--and injects JavaScript into visited Web pages to launch man-in-the-browser (MitB) attack to try and bypass SMS-based transaction authorizations.

Gataka is compatible with nine browsers: Internet Explorer, Firefox, Chrome, Opera, Safari, Konqueror, Maxthon, Minefield, and Netscape.

Whoever is behind the malware also offers frequent updating. "When communicating with the C&C, the client provides a list containing all its installed plug-ins and their versions," said Boutin. "The server can then send updated or new plug-ins to the Trojan. In one of [Gataka's] campaigns that we followed, we observed updates to the main component every two to three days, while the plug-ins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software."

The malicious code highlights how when it comes to malware, would-be attackers have multiple options. "Gataka might not be as widely deployed by bot masters as SpyEye or Zeus, but it can achieve similar goals," said Boutin. "Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell."

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
7/25/2012 | 4:56:53 AM
re: Banking Trojan Harvests Newspaper Readers' Credentials
Much as I sympathise with the banks, I feel they should keep up to date with technology.
There is a security system which is being implemented
by two banks in the U.S and one in Hong Kong, and is being evaluated by a
European bank, in the wake of the report which stated that ATM crime is up
63% in Europe.
Basically, it means that the following security scenario is no longer a
Your ATM card is stolen, on the back of which you have written your PIN
number. Together with this, they stole the piece of paper, on which you
wrote your User ID and password.
To make things worse, a spy camera watched your last access.
Ordinarily, this would not be a Good Situation. However, if your bank is
incorporating the authentication method shown at , there is no way the thieves can access your
The site features a fraudproof ATM and online trading application on the
demo pages.

Worth a look?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.