Finjan warns over new banking Trojan

Finjan warns over new banking Trojan

The code behind the URLZone Trojan is particularly customisable, allowing the bug to be tailored to attack individual banks' systems.

Security researchers have discovered a new Trojan doing the rounds - and this is a particularly insidious bug, quietly siphoning money from your bank account and hiding its actions.

According to CNet, the Trojan - dubbed URLZone - is part of a design-your-own toolkit discovered by researchers working for security firm Finjan. Capable of exploiting holes in most major browsers - Firefox, Internet Explorer versions 6, 7, and 8, and Opera - the Windows-only executable uses a variety of tricks to avoid detection and remain active long enough to siphon money from on-line banking systems.

Capable of being customised to tailor its attacks to any bank, the particular version analysed by Finjan's researchers was targeting a German bank - and not without success. During a 22-day monitoring period in August, Finjan was able to access the command and control server to which the Trojan reported and watch it steal around £273,000 from "a few hundred" accounts. The company's research also unveiled a somewhat worrying 7.5 percent infection rate, with around 6,400 of the 90,000 visitors to the server hosting the malware becoming infected.

In order to hide its activities, the Trojan can be customised with a minimum and maximum transfer amount - high enough to be worth the risk, but low enough to avoid the anti-fraud systems in place at the bank that the Trojan is targeting being triggered. The system can also be programmed to leave a certain amount of available balance in the account - thus avoiding alerting the user with e-mails that they are likely to go overdrawn.

The Trojan then silently intercepts communication between the browser and the bank's site, altering information on the fly and ensuring that the available balance shown to the user remains static - meaning that as far as the end user is concerned, the illegitimate transactions never appear on screen at any time.

Now that this version of the Trojan has been analysed, detection should be forthcoming in the major anti-virus packages. However, modified versions will likely be coming thick and fast in the coming months - and there will always be a gap between a new piece of malware being released and detection being added to anti-virus applications. As usual, a defence-in-depth model seems most appropriate: don't click strange links, keep your system up to date, and use something like NoScript to disable untrusted JavaScript.

As is so often the case, Mac OS and Linux users are unaffected by the Trojan, which is written specifically to run on Windows-based machines.

Does the thought of a Trojan so insidious fill you with fear, or did you always know that on-line banking was a bad idea? How do you ensure your safety - and that of your less-technical family and friends - on the Internet? Share your thoughts over in the forums.


Discuss in the forums Reply
The Jambo 1st October 2009, 15:09 Quote
I've never wanted it to be April 1st while reading an article as much as I do now.
l3v1ck 1st October 2009, 15:15 Quote
Thank heavens for NoScript.
cjoyce1980 1st October 2009, 15:35 Quote
browser and os updates galore again
simonw 1st October 2009, 15:35 Quote
Scary - good thing I have already moved to Linux for my Internet.
pimonserry 1st October 2009, 17:07 Quote
This one actually sounds nasty: most of them can't really log into the online banking systems AFAIK
airchie 1st October 2009, 17:10 Quote
The scariest thing about this trojan is that it doesn't just sniff your bank login details and then let a user try to log in and pilfer your cash, it lets the user log in and then changes the commands on the fly, in both directions, to allow it to rip you off without you even knowing.

Worst of all, this will completely defeat multi-factor authentication.
Scary stuff! :(
Shagbag 1st October 2009, 17:38 Quote
Looks like they forgot to install Microsoft's latest "Security Essentials". rofl.

"This security breach has been brought to you by Microsoft Windows."
mclean007 1st October 2009, 18:21 Quote
Originally Posted by airchie
Worst of all, this will completely defeat multi-factor authentication.
Scary stuff! :(
Scary stuff indeed but I dispute your claim that it will defeat multifactor auth - my bank supplies a little keypad thing that I have to insert my card into. If I want to make a transfer to a new recipient I have to enter the recipient account number, amount and a challenge code, all of which is then hashed together with some unique data from my card to produce an auth code that has to be typed back onto the site in order to make the transfer. It is a crashing bore, but does make me feel a bit more secure after today's news. This trojan can't possibly calculate the requisite authentication code, so can't make silent transfers. Not only that, the authentication code is recipient dependent, so the trojan can't intercept and divert my legit transfers either (the server wouldn't accept the auth code because I would have typed the intended recipeient's bank a/c number into the keypad, but the trojan would be trying to post to a different a/c and the auth wouldn't match).
NuTech 1st October 2009, 18:27 Quote
Reading this article, like the replies before me, I know should be worried/paranoid/disguised...but...

I just can't help but be impressed by all this. Exploiting flaws, siphoning small but significant amounts dynamically, modifying the html code so you see nothing out of the ordinary?

Assuming this is actually real and not just some deliberate rumour put out by security firms, then wow. Really makes you wonder about the type of person able to code such a sophisticated trojan.
War-Rasta 1st October 2009, 19:50 Quote
I agree with NuTech, I'm also impressed by the level of sophistication and the amount of work that was put into this thing. The sad part is that if this person were using his skills for good he or she would be able to achieve great things that are actually useful for everybody.
K.I.T.T. 1st October 2009, 20:41 Quote
*cough* Entrapment *cough* Swordfish *cough*

I'm going to have to agree again with the two people beofre me, what its doing is devilishly ingenious and to be honest quite cool because to do it all on the fly in such a way and no one at either end is none the wiser is clever, very clever in my opinion and it must have taken some serious work to get it to a ready state.

At the same time though it is very scary for the not so tech savy and even the tech savy as they'd know nothing about whats going on until its all over.
airchie 1st October 2009, 21:45 Quote
That's really good to hear Mclean.
Now you mention it, I have a card reader thing I need to use i order to add a new recipient of cash to my online banking.
Aracos 2nd October 2009, 10:22 Quote
As is so often the case, Mac OS and Linux users are unaffected by the Trojan, which is written specifically to run on Windows-based machines.

I have nothing more to say ^_^
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums