Major trojan alert for Internet banking.

[dennilfloss]

I posted a warning in OT but discussion should be done here.

http://www.canada.com/montreal...4f3c-a9e3-3e4732f84c95

No mention I can see yet on the Wilders forums.

http://www.wilderssecurity.com...14298828b753e7a2f&f=38

 

[Double Trouble]

The article indicates that the trojan can infect PC's when they simply browse certain (infected) sites. It doesn't mention anything on how it's supposed to do this, and what browsers are affected. What vulnerability does it supposedly use to get itself onto the computer of the victim?

Clearly, anything that gets onto a PC and has full access to that PC can easily intercept anything and set up a man-in-the-middle attack, the real question is how this thing gets onto the PC and what users need to be warned about. I'm also assuming any decent anti-virus software will be updated shortly to recognize this thing and take care of it before it can do harm.....

 

[spidey07]

Umm, if this is true and "if" I'm understanding the trojan from the brief description of it everyone should be VERY concerned.

man in the middle attacks are useless if using SSL, unless you have a process to capture the key on the client end and intercept the initial setup. Have the key within a process running on the client = can be changed or read.

It is a man in the middle attack, but this time the man in the middle has the key thanks to the process (trojan) running on the client.

 

[spidey07]

Originally posted by: tagej
The article indicates that the trojan can infect PC's when they simply browse certain (infected) sites. It doesn't mention anything on how it's supposed to do this, and what browsers are affected. What vulnerability does it supposedly use to get itself onto the computer of the victim?

Clearly, anything that gets onto a PC and has full access to that PC can easily intercept anything and set up a man-in-the-middle attack, the real question is how this thing gets onto the PC and what users need to be warned about. I'm also assuming any decent anti-virus software will be updated shortly to recognize this thing and take care of it before it can do harm.....

That's the problem. I don't visit this forum often but it's very easy to run code just by visiting a website. This kind of crap is zero-day, meaning the definitions and updates aren't out there yet or they can't adapt fast enough.

It's not a worm, it's a trojan. Just code that may have been sitting there.

 

[FP]

Sounds like an antivirus software company trying to shake things up.

That article is horribly written and is full of sensational comments.

Like tagej... If your computer is infected by ANY virus/trojan/keylogger all bets are off and you are likely screwed no matter what the name of it is.

 

[FP]

Originally posted by: spidey07

Originally posted by: tagej
The article indicates that the trojan can infect PC's when they simply browse certain (infected) sites. It doesn't mention anything on how it's supposed to do this, and what browsers are affected. What vulnerability does it supposedly use to get itself onto the computer of the victim?

Clearly, anything that gets onto a PC and has full access to that PC can easily intercept anything and set up a man-in-the-middle attack, the real question is how this thing gets onto the PC and what users need to be warned about. I'm also assuming any decent anti-virus software will be updated shortly to recognize this thing and take care of it before it can do harm.....

That's the problem. I don't visit this forum often but it's very easy to run code just by visiting a website. This kind of crap is zero-day, meaning the definitions and updates aren't out there yet or they can't adapt fast enough.

It's not a worm, it's a trojan. Just code that may have been sitting there.

Define "run code." It isn't that easy to install "code" on a client computer through a web browser. It either requires an uneducated user visiting sites they probably shouldn't be or far less likely an uber-zero day exploit.

 

[spidey07]

Originally posted by: binister

Define "run code." It isn't that easy to install "code" on a client computer through a web browser. It either requires an uneducated user visiting sites they probably shouldn't be or far less likely an uber-zero day exploit.

"run code" means exactly what I said.

Processor execute instructions in memory. I'm going to back away now.

-edit-
If this trojan is running you are screwed (from what the article says). binister, seriously...I don't visit this forum often but i have been doing this crap for a long time. I don't get paranoid much at all, this is cause for concern and i will not be doing any SSL transactions until I read more about this trojan.

 

[bsobel]

Define "run code." It isn't that easy to install "code" on a client computer through a web browser. It either requires an uneducated user visiting sites they probably shouldn't be or far less likely an uber-zero day exploit.

There have been some huge public sites hacked this last year and had browser exploits/installers put on them. Miami Dolphins home page last superbowl comes to mind...

 

[FP]

Originally posted by: spidey07

Originally posted by: binister

Define "run code." It isn't that easy to install "code" on a client computer through a web browser. It either requires an uneducated user visiting sites they probably shouldn't be or far less likely an uber-zero day exploit.

"run code" means exactly what I said.

Processor execute instructions in memory. I'm going to back away now.

-edit-
If this trojan is running you are screwed (from what the article says). binister, seriously...I don't visit this forum often but i have been doing this crap for a long time. I don't get paranoid much at all, this is cause for concern and i will not be doing any SSL transactions until I read more about this trojan.

I have been doing this for a long time as well... more specifically dealing with/preventing web exploits. Remember the Michelangelo? ILOVEYOU? Blaster? Melissa? All were caught on by the media and blown way out of proportion in my opinion.

Don't get me wrong, I think announcing the details of new virii is imporant saying things like "giving thieves free rein to drain accounts and wreak financial havoc on their victims" and "steering payments into a hacker's account or cleaning out the entire bank funds altogether" is sensational.

My point is that as long as you are prudent in your actions and use some common sense the majority of people (especially computer savvy people) will be fine.

 

[irishScott]

Hmmm. I remember my AntiVir Personal Edition heuristic picked something up when I went to BB&T home page about a month ago. It couldn't identify it, but it was some temporary file. I simply moved it to quarantine and continued with the transaction. Deleted the file afterwards and did a clean sweep of every drive I had with max heruistics, rootkit scan, SysInternal's RootkitRevealer, and a bunch of other stuff. I was completely clean, no ill effects yet.

Again, this was a month ago, for about 3 weeks. The warning has since stopped appearing, so I assume BB&T dealt with it.

I was using Mozilla Firefox 2.0.0.x

May or may not be what's mentioned in the article.

 

[bsobel]

I have been doing this for a long time as well... more specifically dealing with/preventing web exploits.

Really, for who (e.g. which company), what certs do you have, whats your background.

Remember the Michelangelo? ILOVEYOU? Blaster? Melissa? All were caught on by the media and blown way out of proportion in my opinion.

All of thse where actually huge events at the time.

My point is that as long as you are prudent in your actions and use some common sense the majority of people (especially computer savvy people) will be fine.

Until a site like the Miami Dolphins site is hacked

 

[spidey07]

Originally posted by: binister
I have been doing this for a long time as well... more specifically dealing with/preventing web exploits. Remember the Michelangelo? ILOVEYOU? Blaster? Melissa? All were caught on by the media and blown way out of proportion in my opinion.

Don't get me wrong, I think announcing the details of new virii is imporant saying things like "giving thieves free rein to drain accounts and wreak financial havoc on their victims" and "steering payments into a hacker's account or cleaning out the entire bank funds altogether" is sensational.

My point is that as long as you are prudent in your actions and use some common sense the majority of people (especially computer savvy people) will be fine.

Agreed, we both remember all of those. But I like my porn/black hat sites I never know what I'm gonna get. I also remember nimda, sqlslammer and blaster - worms easily identified by their traffic and scanning from a L3 and a L7 perspective. trojans are not so identified because they are not worms. Without a known L7 signature they could be running, and without antivirus signatures they could be running.

All I know is it takes the antivirus companies at LEAST 24-48 hours to release a signature.

 

[FP]

Really, for who (e.g. which company), what certs do you have, whats your background.

I normally do not bite when comparing internet e-penis but since you are a lifer I will. I am a consultant... Have done work for many different companies (HP, Cisco, J&J to name a few). You obviously have a background in this industry so you know having a cert is hardly an indication of anything relevant. My background is web development and application engineering.

All of thse where actually huge events at the time.

Not for me or any of the machines I maintained (friends, family).

Until a site like the Miami Dolphins site is hacked

Again, I do not doubt that these things are threats. My issue is with the way to media blows them into something more than they are.

Are you telling me you don't think that article was a bit sensational?

Edit: Darn wrong closing tags....

 

[FP]

Originally posted by: spidey07

Originally posted by: binister
I have been doing this for a long time as well... more specifically dealing with/preventing web exploits. Remember the Michelangelo? ILOVEYOU? Blaster? Melissa? All were caught on by the media and blown way out of proportion in my opinion.

Don't get me wrong, I think announcing the details of new virii is imporant saying things like "giving thieves free rein to drain accounts and wreak financial havoc on their victims" and "steering payments into a hacker's account or cleaning out the entire bank funds altogether" is sensational.

My point is that as long as you are prudent in your actions and use some common sense the majority of people (especially computer savvy people) will be fine.

Agreed, we both remember all of those. But I like my porn/black hat sites I never know what I'm gonna get. I also remember nimda, sqlslammer and blaster - worms easily identified by their traffic and scanning from a L3 and a L7 perspective. trojans are not so identified because they are not worms. Without a known L7 signature they could be running, and without antivirus signatures they could be running.

All I know is it takes the antivirus companies at LEAST 24-48 hours to release a signature.

In any case, the next week will be interesting if this turns out to be as big as the article makes it out to be.

 

[S Freud]

What can the average joe do to prevent this from becoming a problem for them? Both my girlfriend and I both check our bank and other financial sites regularly from our computer, both of us also browse various other sites, myspace, AT, facebook, news sites, etc.

How at risk am I running AVG Free edition and keeping firefox and AVG up to date? Is there anything that I can do not being software savvy?

 

[Zugzwang152]

Some technical detail from McAfee:
http://ca.mcafee.com/virusInfo...ription&virus_k=143943

The McAfee info above links to the same article as the OP's on another site. In addition, the Symantec alias for it is listed as Silentbanker, which is referenced in both articles by a Symantec rep.

 

[Zugzwang152]

Originally posted by: S Freud
What can the average joe do to prevent this from becoming a problem for them? Both my girlfriend and I both check our bank and other financial sites regularly from our computer, both of us also browse various other sites, myspace, AT, facebook, news sites, etc.

How at risk am I running AVG Free edition and keeping firefox and AVG up to date? Is there anything that I can do not being software savvy?

http://www.castlecops.com/t212...ojan_Silentbanker.html

Castle Cops indicates that AVG definitions for 1/15 and later should catch this.

In addition, this is not a brand spanking new threat. According to the Castle Cops link, most antivirus programs have had definitions for a few days now. The McAfee link in my previous post indicates that they have had generic protection from at least December 20, 2007.

 

[Scarpozzi]

Man in the Middle attacks are rare for the simple reason that it takes inserting code on your computer (such as in the hosts file) or giving you a new TCP/IP pack....then the hackers would need either a proxy server and knowledge of the sites they're trying to compromise.

For the attack to be as "large-scaled" as they claim, it would take some gifted scammers. I think though, this is probably another one of those alarms to make people aware and get headlines. In actuality if you go to TRUSTED websites and use an antivirus program, you should be alright. Another thing you might want to do is go ahead and flag your HOSTS file and LMHOSTS file as Read only.

 

[edro]

Firefox will save me! Won't it?

The trojan monitors the following browsers accessing the online banks defined in the configuration files.

* maxthon.exe
* acoobrowser.exe
* iexplore.exe

Woohoo! It Does!

 

[Fritzo]

Here's a better article about it...it's not as wide spread as the OP's "Fox News" style article makes it out to be:

http://www.pcworld.com/article...74-page,1/article.html

 

[Xavier434]

Firefox + Noscript ftw


Thank you for this warning. Anything involving the breach of my bank account is a big concern to me even if it only applies to a handful of configurations.

 

[RagingBITCH]

Symantec lists it as Very Low

http://www.symantec.com/securi...id=2007-121718-1009-99

 

[mechBgon]

Originally posted by: S Freud
What can the average joe do to prevent this from becoming a problem for them? Both my girlfriend and I both check our bank and other financial sites regularly from our computer, both of us also browse various other sites, myspace, AT, facebook, news sites, etc.

How at risk am I running AVG Free edition and keeping firefox and AVG up to date? Is there anything that I can do not being software savvy?

Try out non-Admin user accounts, a good foundational countermeasure. And don't play with warez/unknown stuff. This will help in many cases where your other defenses drop the ball, since the malware authors are usually assuming they'll have full Admin powers on tap.

 

[Xavier434]

Originally posted by: S Freud
What can the average joe do to prevent this from becoming a problem for them? Both my girlfriend and I both check our bank and other financial sites regularly from our computer, both of us also browse various other sites, myspace, AT, facebook, news sites, etc.

How at risk am I running AVG Free edition and keeping firefox and AVG up to date? Is there anything that I can do not being software savvy?

Install the Noscript addon for firefox and only permit scripts from trusted sites. It's very easy to use.

 

[altonb1]

Sounds like this is a non-event then, as long as your antivirus sw is current. (assuming standard real-world aV package like AVG, McAfee, etc)