Security company warns of new Banker Trojan

Stephen Withers
Monday, 20 August 2007 08:40

Your IT - Home IT

Security vendor Sophos has warned of a new piece of malware that takes a sneaky approach to intercepting people's Internet banking details.

All the Trojan does is add eight entries to Windows' HOSTS file. This file associates host names with specific IP addresses, without reference to the Internet's Domain Name Service. It has some legitimate uses, but the Bancos-BDF Trojan uses it to associate host names corresponding to a South American Banking institution with an IP address that has nothing to do with the bank.

"What this means for anyone infected by this particular Trojan is that any and all attempts to visit the website of the target bank, including logging in to check your balance, viewing the bank homepage and even email correspondence will be re-routed to the assailant's IP address," said Chris Mitchell of SophosLabs Australia. "This would give the attacker all the information he needs and by duplicating the banks stationary and email signatures he could wreak untold damage to unassuming victims."

While similar tricks have been played for some time - HOSTS file hijacking has been around for at least four years - Mitchell said "This is by far the most effective man in the middle attack I have evidence of to date".

One bona fide use of a modified HOSTS file is to block access to 'known bad' domains, but that job is probably better left to security software and firewalls for ease of management.