Tuesday, 25 November 2008 09:49

TrustDefender looks deep into banking trojan's soul

By
Banking trojans, such as the reviled “SilentBanker” trojan that is capturing unsuspecting and even anti-virus protected users by surprise and ripping money out of bank accounts, are digital curses upon not only users but the financial industry as a whole. Security experts TrustDefender take it apart in their latest blog entry.

If you use a Windows based computer to do your online banking, chances are that you have an up-to-date Internet Security package with anti-virus, anti-malware/spyware, anti-rootkit, firewall and more.

But the latest trojans can be like undetected viruses – if your Internet security doesn’t know about a particularly brand new threat, will you still be protected?

Chances are the answer to that question is “no”, no matter what commercial Internet Security suite you are using – or at least, not until that suite has updated its “definitions” to include the latest trojan, so it can be detected and dealt with.

Over the past couple of years, an Australian security company called TrustDefender has taken a completely different approach, with software able to detect and physically stop any malware on any Windows computer, be it known or unknown, from penetrating your online banking (or any other transactional session online) - even if your computer is infected with the toughest and sneakiest trojans out there, or new ones hot off the cybercrim’s programming malware press.

That’s what TrustDefender claim, and they’ve been recognised by the Australian Information Industry Association, winning an award (among others) in the financial category, and already have financial institutions offering TrustDefender software to their customers.

In addition, TrustDefender’s software works by making your computer a part of the bank’s security chain – the first software to do so.

It’s also completely browser independent, meaning it does not matter whether you are using Internet Explorer, Firefox, Google Chrome, Safari or something else, because browser independence means just that. You can find out more about how TrustDefender works on its website.

The company is led by Ted Egan, the CEO and co-founder and by Andreas Baumhof, co-founder and CTO. On TrustDefender’s blog, Baumhof regularly looks deep into the soul of the latest crimeware to understand the latest tricks, techniques and mindset of the malware programmer and online criminal.

The latest blog entry, dated November 24 2008, takes an “In-depth look at a Silentbanker variant (Silentbanker.B)”.

Baumhof, explains that last week he was looking “at a compromised computer that was infected with the Silentbanker.B variant”, and he took the opportunity to “recover all relevant files including the installer.”

How did this nefarious trojan get onto a compromised computer that Andreas was now performing some forensics on? Through the horrors of the drive-by-download and as the computer’s Antivirus software had no signatures for the Silentbanker trojan, it was able to install itself.

What TrustDefender found within is on page 2... please read on.


What Silentbanker does is to use a number of techniques to steal confidential information, and Baumhof explains:

“- It downloads encrypted configuration files from the internet to stay up-to-date with the policies

- It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …

- It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.

- It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.

- However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.”

TrustDefender explains that its “customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.”

What are some technical details on the way SilentBanker works?

Baumhof explains that: “Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.

“Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever.

“If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.”

 At this point the TrustDefender blog includes a series of images to illustrate what is going on, which you can see at the blog posting.

Baumhof continues explaining that: “Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C [command and control] server located in Russia.

“What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).
 
“Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by German banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.

“The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,” continued Baumhof.

Worryingly, Baumhof concluded that “Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see VirusTotal.com’s analysis for more details).”

It’s very interesting to note that today’s Internet Security suites do not contain TrustDefender’s capabilities, and that TrustDefender seamlessly works with any Windows security software making layered security solutions even stronger.

I wonder which security company will snap it up – and irrespective of that – when your bank or financial institution will announce it is offering TrustDefender to all its customers?


Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.

CLICK HERE!

WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.

REGISTER HERE!

BACK TO HOME PAGE
Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments