TrustDefender looks deep into banking trojan’s soul

Alex Zaharov-Reutt
Tuesday, 25 November 2008 09:49

Your IT - Home IT

What Silentbanker does is to use a number of techniques to steal confidential information, and Baumhof explains:

“- It downloads encrypted configuration files from the internet to stay up-to-date with the policies

- It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …

- It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.

- It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.

- However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.”

TrustDefender explains that its “customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.”

What are some technical details on the way SilentBanker works?

Baumhof explains that: “Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.

“Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever.

“If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.”

 At this point the TrustDefender blog includes a series of images to illustrate what is going on, which you can see at the blog posting.

Baumhof continues explaining that: “Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C [command and control] server located in Russia.

“What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).
 
“Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by German banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.

“The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,” continued Baumhof.

Worryingly, Baumhof concluded that “Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see VirusTotal.com’s analysis for more details).”

It’s very interesting to note that today’s Internet Security suites do not contain TrustDefender’s capabilities, and that TrustDefender seamlessly works with any Windows security software making layered security solutions even stronger.

I wonder which security company will snap it up – and irrespective of that – when your bank or financial institution will announce it is offering TrustDefender to all its customers?