Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 11th, 2010

New Banking Trojan Discovered in the Wild

Researchers from Atlanta-based security vendor SecureWorks have discovered a new information-stealing trojan facilitating ACH and wire fraud. The trojan has all the capabilities of malware commonly used to steal money from SMBs and non-profits.

An unprecedented wave of Automated Clearing House (ACH) and wire fraud started in 2009, resulting in small and medium-sized companies, public institutions and non-profit organizations losing millions of dollars to cyber-criminals. The problem prompted the FBI and the American Bankers Association to recommend that online banking operations be performed from dedicated computers only.

These attacks start by infecting computers on an organization’s network with the purpose of stealing online banking credentials. The Clampi and Zeus (Zbot) families of trojans have so far dominated this aspect of cyber-crime and positioned themselves as the leading information-stealing computer trojans.

However, it seems other groups are willing to challenge that supremacy, especially since antivirus products are getting better at generically detecting modified Clampi and Zeus variants, which significantly reduces their success rate. The trojan discovered by SecureWorks back in January, which was dubbed Bugat, appears to be one of these new competitors.

“In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41),” Jason Milletary, SecureWorks’ technical director for malware analysis, explains on the company’s research blog.

Bugat is capable of capturing information entered in Web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials. Additionally, the malware can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

The trojan communicates with a command and control (C&C) server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

“The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals,” Mr. Milletary concludes. Indeed, just last week, Symantec warned of a new Zeus-like crimeware toolkit called SpyEye.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Trojan In The Wild Exploits Recently Disovered Bug In Mac OS X Remote Management
  • Large European Banks Targeted By ZeuS Trojan
  • IBM’s New USB-based Device Might Allow Safer Online Banking
  • Users Fear Of Illegal Content Targeted By Social Engineering Trojan
  • SMS Malware Targets Symbian S60 Devices

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Banking Trojan Discovered in the Wild

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.