But the latest trojans can be like undetected viruses – if your Internet security doesn’t know about a particularly brand new threat, will you still be protected?
Chances are the answer to that question is “no”, no matter what commercial Internet Security suite you are using – or at least, not until that suite has updated its “definitions” to include the latest trojan, so it can be detected and dealt with.
Over the past couple of years, an Australian security company called TrustDefender has taken a completely different approach, with software able to detect and physically stop any malware on any Windows computer, be it known or unknown, from penetrating your online banking (or any other transactional session online) - even if your computer is infected with the toughest and sneakiest trojans out there, or new ones hot off the cybercrim’s programming malware press.
That’s what TrustDefender claim, and they’ve been recognised by the Australian Information Industry Association, winning an award (among others) in the financial category, and already have financial institutions offering TrustDefender software to their customers.
In addition, TrustDefender’s software works by making your computer a part of the bank’s security chain – the first software to do so.
It’s also completely browser independent, meaning it does not matter whether you are using Internet Explorer, Firefox, Google Chrome, Safari or something else, because browser independence means just that. You can find out more about how TrustDefender works on its website.
The company is led by Ted Egan, the CEO and co-founder and by Andreas Baumhof, co-founder and CTO. On TrustDefender’s blog, Baumhof regularly looks deep into the soul of the latest crimeware to understand the latest tricks, techniques and mindset of the malware programmer and online criminal.
The latest blog entry, dated November 24 2008, takes an “In-depth look at a Silentbanker variant (Silentbanker.B)”.
Baumhof, explains that last week he was looking “at a compromised computer that was infected with the Silentbanker.B variant”, and he took the opportunity to “recover all relevant files including the installer.”
How did this nefarious trojan get onto a compromised computer that Andreas was now performing some forensics on? Through the horrors of the drive-by-download and as the computer’s Antivirus software had no signatures for the Silentbanker trojan, it was able to install itself.
What TrustDefender found within is on page 2... please read on.
What Silentbanker does is to use a number of techniques to steal confidential information, and Baumhof explains:
- It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …
- It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.
- It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.
- However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.”
TrustDefender explains that its “customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.”
What are some technical details on the way SilentBanker works?
Baumhof explains that: “Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.
“Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever.
“If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.”
At this point the TrustDefender blog includes a series of images to illustrate what is going on, which you can see at the blog posting.
Baumhof continues explaining that: “Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C [command and control] server located in Russia.
“What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).
“Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by German banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.
“The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,” continued Baumhof.
Worryingly, Baumhof concluded that “Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see VirusTotal.com’s analysis for more details).”
It’s very interesting to note that today’s Internet Security suites do not contain TrustDefender’s capabilities, and that TrustDefender seamlessly works with any Windows security software making layered security solutions even stronger.
I wonder which security company will snap it up – and irrespective of that – when your bank or financial institution will announce it is offering TrustDefender to all its customers?