Trojan horses steal bank details, passwords

Cybercriminals use new Trojan horse tricks to steal money via bank Web sites and to nab personal passwords.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

March 27, 2006 6:51 a.m. PT

2 min read

Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.

The unrelated malicious programs, reported this week by security companies, represent new twists thought up by hackers in their development of Trojan horses, which are harmful programs disguised to look like innocent software.

Banks in the United Kingdom, Germany and Spain have been targeted by MetaFisher, otherwise known as Spy-Agent and PWS. After infecting a computer, the Trojan horse waits until the user visits a legitimate bank Web site, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.

As a result, those one-time PINs and transaction numbers are never logged onto the Web site and they remain valid, said Ramses Martinez, a director at security firm iDefense. The intruders likely store the data either for their own use or sell them on to others, he added.

The attackers attempt to place the Trojan on a computer using an exploit for the Windows Meta File flaw in Microsoft's Internet Explorer, according to a Symantec advisory. The potential victim must visit a malicious Web site to infect their system, and attackers may use e-mails to direct them there. A keylogger, which surreptitiously records the user's keystrokes, is installed on the computer alongside the Trojan.

Sana Labs discovered the other Trojan, which is distributed alongside a rootkit that hides it. The malicious software spreads via the Alcra worm, which directs infected Microsoft Windows PCs to Web sites where the programs are downloaded, Sana said. The Trojan is able to unearth passwords and usernames used previously on a machine and does not have to track keystrokes, according to Sana. The security company said it has discovered 37,000 usernames and passwords, the majority for social networking Web sites, on log files in 7,000 locations.

Once the malicious software is loaded onto a PC, it communicates with a Russian Web server, which stores the usernames and passwords gleaned by the Trojan.

Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said that as of Monday, only five security applications--UNA, VBA32, Sophos, NOD32 version 2 and eTrust-Vet--were able to detect the threat.