Banking Trojans: Stealing from the Source

Adequate antivirus software eventually will detect Trojans on computer systems. Antivirus companies usually release signatures to detect and remove Trojans shortly after they know new Trojans exist. However, obviously, there’s often a delay between the detection and reporting to the antivirus companies because users normally don’t know their systems are infected.

Banking Trojans have become the most malicious form of malware because they’re designed to steal funds directly from bank accounts of individuals and organizations by targeting Automated Clearing House (ACH) and wire transfer transactions. Of course, this extremely profitable fraud is increasingly attracting more perpetrators.

According to the Jan. 13 USA TODAY article, “Cybercrooks stalk small businesses that bank online,” by Byron Acohido, the problem has become so pervasive that the FBI and the American Bankers Association (ABA) in January 2010 jointly advised companies to use dedicated computers for online banking operations after hundreds of thousands of dollars were siphoned from the accounts of several small businesses and public institutions.

INFECTING SYSTEMS 

Perpetrators infect computer systems with banking Trojans as the first step in obtaining required personal information to perform rogue financial transactions. Trojans come in thousands of variants and use a variety of vectors to infect systems including exploiting vulnerabilities in web browsers, tricking users into downloading legitimate-looking software, and exploiting operating systems’ vulnerabilities.

“Drive-by downloads” are probably the most efficient (and thus most popular) way of infecting systems. As the victim browses websites, he might unwittingly come across an infected site that will instruct the user’s browser to download, without the user’s consent, malicious software that will in turn download the banking Trojan. Fraudsters also distribute malicious software on social networking sites by tricking users into downloading apparently legitimate software touting the enhancement of the social networking experience.

Also, botnets (networks of infected computers) might seek to infect systems by exploiting vulnerabilities on unpatched and unprotected systems. Users’ computers are infected without their knowledge because the vulnerability serves as the infection vector.

Adequate antivirus software eventually will detect Trojans on computer systems. Antivirus companies usually release signatures to detect and remove Trojans shortly after they know new Trojans exist. However, obviously, there’s often a delay between the detection and reporting to the antivirus companies because users normally don’t know their systems are infected.

So during that time lag, Trojans can wreak havoc, and cybercriminals will have paid off their initial investments into developing the malware. Also, Trojans will continue to live on in limited forms as they continue to infect computers that aren’t protected by up-to-date antivirus software.

UNDERSTANDING BANKING TROJANS 

Once systems are infected, Trojans attempt to capture credentials (the usernames and passwords used to access accounts) from financial transactions with banks, the ACH, and wire transfer services. To achieve this, Trojans can:

• Steal browser cookies, which transactional sites use for authentication
• Steal credentials used for batch file transfers of financial transactions (Many organizations still transfer files containing a series of payroll or financial transactions to be executed.)
• Search systems for files containing certain keywords, and once found, upload them to a central location, which is often other infected computers
• Download additional malicious software on computers for other nefarious purposes

EXPLOITING THE SYSTEM 

The captured credentials might then be communicated back to other systems and collected by fraudsters for future use or resale on underground economy servers.

Fraudsters lure users with “make cash at home” website scams, which trick them into becoming “money mules” and unwittingly launder money that scammers have stolen using banking Trojans or other means such as phishing. The victims deposit the money into their personal bank accounts and then innocently transfer it to accounts given to them by the scammers after accepting a small commission. The victims believe they’re financial agents of legitimate organizations. However, honest companies always use escrow services for transferring funds.

Other newer Trojans can receive instructions through “command and control” infrastructures to execute transactions directly on compromised systems using captured credentials. These infrastructures, comprised of servers managed by the fraudsters, often are located in countries in which law enforcement collaboration is limited thus impeding the ability to shut down the servers and investigate who’s behind these banking Trojans. They issue commands to the infected systems and control certain elements of their behavior via communication channels back to infected machines.

HIDING IN PLAIN SIGHT 

New banking Trojans have the ability to alter online bank statements so organizations and individuals aren’t able to notify their financial institutions of unauthorized transactions. Evidence linked with the illicit transactions can be lost.

Automated Trojans can transfer small random amounts of money to fraudsters’ accounts and avoid detection by anti-fraud systems because these systems seek out repetitive patterns or other trends that might indicate anomalies.

DEDICATED COMPUTERS AND ORGANIZATIONS 

Banking Trojans have become a non-negligible threat to organizations that perform any form of online transaction processing, from web access and bank accounts to wire transfer services and the ACH. You should have a dedicated computer for online banking operations so you can limit your system’s exposure.

NEXT ISSUE 

In the next column, we’ll examine the value of metadata in forensic investigations.

Jean-François Legault is a senior manager with Deloitte’s Forensic & Dispute Services practice in Montreal. Canada.