Customers warned of banking Trojans

By Steve Malone

Posted on 28 Mar 2006 at 10:14

Customers have been warned about a new wave of Trojans which are targeting banks. A number of banks including those in Britain, Spain, Germany and the Netherlands have come under attack from the PWSteal.Metafisher Trojan which can steal personal information.

The code exploits the Graphics Rendering Engine WMF Format unspecified code execution vulnerability which came to light in the New Year to download remote files. In order for the code to operate, the visitor has to first visit a web site to load the exploit. Often, users will have been sent there by clicking on spam emails.

Once installed, the malware will wait until the user visits a legitimate banking site and installs specially crafted HTML tags into the code. It will then capture PINs or other bank account and personal information to remote servers.
Another piece of nasty code goes by the name of rootkit.hearse and installs a Trojan. The accompanying Trojan is able to discover passwords and other sensitive information stored on a computer and does not need to log keystrokes. As it is hidden by the rootkit, end users cannot see the Trojan on their hard disk and it can survive reboot and does not run as a visible process. Once installed, the code starts to transmit personal details to a server based in Russia.

Finally, the blog maintained by Kapersky Labs has also warned of Trojan-Spy.Win32.Bancos.pw which can intercept TAN codes which are used as security tokens by Postbank and Deutsche Bank. The Trojan-Spy.Win32.Bancos.pw is able to intercept HTTPS traffic.