Jump to content

Categories:    Windows      Software      Hardware      Security      Mobile      Internet      Guides



Windows malware threatens bank accounts
Posted on May 11 2011 01:12 PM by xper in Security

Web access security provider Trusteer has identified a Microsoft Windows malware platform that it says has “morphed” into a threat that attacks North American financial institutions and their customer accounts. The trojan, dubbed “Sunspot,” has been in circulation for a while but only recently developed financial fraud capabilities, according to a blog post today by Trusteer’s Chief Technology Officer Amit Klein.

“It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real,” Klein wrote.

Sunspot infects computers running 32-bit or 64-bit Windows XP, Vista and 7, and infects Internet Explorer and Firefox browsers, which are the most widely used.

Sunspot is able to launch “man-in-the-browser” attacks in which the malware can see what the user is seeing when they are on a bank Web site. Sunspot can see account balances, request additional information from the user such as password, PINs or answers to secret questions. It can request payment card information and other personal information such as drivers license number, date-of-birth and so on, the latter which can all be used for identity theft. Trusteer says Sunspot can also take screenshots of the open browser as a user is typing in a password or PIN, though only if done on a virtual keyboard such as on a smartphone or tablet computer. This is similar to SpyEye/ZeuS, but those infections have, so far, seemed to plague mostly European institutions.

What I notice is that Trusteer says Sunspot can “request” this information, which is not the same as taking that information. It’d be interesting to know if the malware’s success depends on the user actually providing -- or, more to the point, being stupid enough to provide -- that information. The more security-aware user would likely think this through before responding to a request for personal information. It’s unclear whether Sunspot mimics the user interface of a particular bank Web site, although I'm seeking an interview with Klein to clarify that.

Trusteer traced the trojan to Russia and Klein says this is how it infects your computer: “Once installed, Sunspot is started either by "rundll32.exe" via HKCU\Software\Microsoft\ Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active.”

Source: NetworkWorld








0 Comments