Finjan warns over new banking Trojan

Author: Gareth Halfacree
Published: 1st October 2009
Comments (13) Stumble
Finjan warns over new banking Trojan

The code behind the URLZone Trojan is particularly customisable, allowing the bug to be tailored to attack individual banks' systems.

Security researchers have discovered a new Trojan doing the rounds - and this is a particularly insidious bug, quietly siphoning money from your bank account and hiding its actions.

According to CNet, the Trojan - dubbed URLZone - is part of a design-your-own toolkit discovered by researchers working for security firm Finjan. Capable of exploiting holes in most major browsers - Firefox, Internet Explorer versions 6, 7, and 8, and Opera - the Windows-only executable uses a variety of tricks to avoid detection and remain active long enough to siphon money from on-line banking systems.

Capable of being customised to tailor its attacks to any bank, the particular version analysed by Finjan's researchers was targeting a German bank - and not without success. During a 22-day monitoring period in August, Finjan was able to access the command and control server to which the Trojan reported and watch it steal around £273,000 from "a few hundred" accounts. The company's research also unveiled a somewhat worrying 7.5 percent infection rate, with around 6,400 of the 90,000 visitors to the server hosting the malware becoming infected.

In order to hide its activities, the Trojan can be customised with a minimum and maximum transfer amount - high enough to be worth the risk, but low enough to avoid the anti-fraud systems in place at the bank that the Trojan is targeting being triggered. The system can also be programmed to leave a certain amount of available balance in the account - thus avoiding alerting the user with e-mails that they are likely to go overdrawn.

The Trojan then silently intercepts communication between the browser and the bank's site, altering information on the fly and ensuring that the available balance shown to the user remains static - meaning that as far as the end user is concerned, the illegitimate transactions never appear on screen at any time.

Now that this version of the Trojan has been analysed, detection should be forthcoming in the major anti-virus packages. However, modified versions will likely be coming thick and fast in the coming months - and there will always be a gap between a new piece of malware being released and detection being added to anti-virus applications. As usual, a defence-in-depth model seems most appropriate: don't click strange links, keep your system up to date, and use something like NoScript to disable untrusted JavaScript.

As is so often the case, Mac OS and Linux users are unaffected by the Trojan, which is written specifically to run on Windows-based machines.

Does the thought of a Trojan so insidious fill you with fear, or did you always know that on-line banking was a bad idea? How do you ensure your safety - and that of your less-technical family and friends - on the Internet? Share your thoughts over in the forums.
Quote The Jambo 1st October 2009, 15:09
I've never wanted it to be April 1st while reading an article as much as I do now.
Quote l3v1ck 1st October 2009, 15:15
Thank heavens for NoScript.
Quote cjoyce1980 1st October 2009, 15:35
browser and os updates galore again
Quote simonw 1st October 2009, 15:35
Scary - good thing I have already moved to Linux for my Internet.
Quote pimonserry 1st October 2009, 17:07
This one actually sounds nasty: most of them can't really log into the online banking systems AFAIK
Quote airchie 1st October 2009, 17:10
The scariest thing about this trojan is that it doesn't just sniff your bank login details and then let a user try to log in and pilfer your cash, it lets the user log in and then changes the commands on the fly, in both directions, to allow it to rip you off without you even knowing.

Worst of all, this will completely defeat multi-factor authentication.
Scary stuff! :(
Quote Shagbag 1st October 2009, 17:38
Looks like they forgot to install Microsoft's latest "Security Essentials". rofl.

"This security breach has been brought to you by Microsoft Windows."
Quote mclean007 1st October 2009, 18:21
Quote:
Originally Posted by airchie
Worst of all, this will completely defeat multi-factor authentication.
Scary stuff! :(
Scary stuff indeed but I dispute your claim that it will defeat multifactor auth - my bank supplies a little keypad thing that I have to insert my card into. If I want to make a transfer to a new recipient I have to enter the recipient account number, amount and a challenge code, all of which is then hashed together with some unique data from my card to produce an auth code that has to be typed back onto the site in order to make the transfer. It is a crashing bore, but does make me feel a bit more secure after today's news. This trojan can't possibly calculate the requisite authentication code, so can't make silent transfers. Not only that, the authentication code is recipient dependent, so the trojan can't intercept and divert my legit transfers either (the server wouldn't accept the auth code because I would have typed the intended recipeient's bank a/c number into the keypad, but the trojan would be trying to post to a different a/c and the auth wouldn't match).
Quote NuTech 1st October 2009, 18:27
Reading this article, like the replies before me, I know should be worried/paranoid/disguised...but...

I just can't help but be impressed by all this. Exploiting flaws, siphoning small but significant amounts dynamically, modifying the html code so you see nothing out of the ordinary?

Assuming this is actually real and not just some deliberate rumour put out by security firms, then wow. Really makes you wonder about the type of person able to code such a sophisticated trojan.
Quote War-Rasta 1st October 2009, 19:50
I agree with NuTech, I'm also impressed by the level of sophistication and the amount of work that was put into this thing. The sad part is that if this person were using his skills for good he or she would be able to achieve great things that are actually useful for everybody.
Quote K.I.T.T. 1st October 2009, 20:41
*cough* Entrapment *cough* Swordfish *cough*

I'm going to have to agree again with the two people beofre me, what its doing is devilishly ingenious and to be honest quite cool because to do it all on the fly in such a way and no one at either end is none the wiser is clever, very clever in my opinion and it must have taken some serious work to get it to a ready state.

At the same time though it is very scary for the not so tech savy and even the tech savy as they'd know nothing about whats going on until its all over.
Quote airchie 1st October 2009, 21:45
That's really good to hear Mclean.
Now you mention it, I have a card reader thing I need to use i order to add a new recipient of cash to my online banking.
Quote storm20200 2nd October 2009, 10:22
Quote:
As is so often the case, Mac OS and Linux users are unaffected by the Trojan, which is written specifically to run on Windows-based machines.

I have nothing more to say ^_^
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.







Mobile Phones

LG Arena ReviewHTC Magic Review

Compare over 250 mobile phones &
52,000 deals!



Broadband

Mobile Broadband

Compare over 100 broadband & mobile broadband deals online!

Dragonage