MISCELLANEOUS

Banker Trojans – Who

Banker Trojan horses (also known as plain Bankers) are a special family of malware aimed at stealing log-in information related to banks (such as login names, passwords, PIN numbers and others).

Highly discrete, they are by far the most damaging division of Trojans for the casual e-banking user.

Banker Trojans have been around for a while, and they are still punching significant damage into users’ e-banking accounts. However, since they are harder to see than their Rogue AV siblings, computer users tend to overlook their destructive potential.

Unlike conventional keyloggers that are able to intercept and send each and every key the user presses while in front of a computer, Banker Trojans are especially written pieces of malware that have a sixth sense: they remain dormant for most of the time and only wake up when the user points their browsers to bank sites the malware is instructed to monitor. When they see it, they perform miscellaneous tricks to intercept the entered credentials and then report back to the base.

It is this extra level of stealth that makes the Banker Trojan awfully difficult to detect: it eliminates the amount of overhead a keylogger would place on the network card by constantly transmitting the intercepted data via Internet. More than that, since it only collects a couple of bytes of data per session, it is able to send these credentials using post or get requests to the attacker’s web site.

Since all these requests are performed as HTTP traffic, the Banker Trojan needs not to worry about blocked ports or firewalls, while dramatically reducing the chances of a system administrator spotting the rogue packet on the network. The only way to see that there’s something wrong with these packets is to actively monitor the network traffic originating from their machine during the short timeframe the user visits the e-banking website and presses the Submit button.

As stated before, the Banker Trojan pulls various stunts to get to the data. First of all, no key-logging. There are only a few and extremely unfortunate  examples of bankers using key-logging methods to get to the data, as any kind of keyboard hook may be identified by the anti-virus solution as keystroke interceptor and blocked before it successfully manages to snatch and forward the data. Secondly, no e-mailing home. Most keyloggers use the SMTP protocol in order to send the collected data to the attacker’s e-mail address. This is somewhat of an inconvenience for a stealth master, since

a) SMTP ports  25, 465 and 587 might either be for external destinations or need extra layers of authentication

 and

b) because the SMTP packets are pretty bulky and easily spotted by network sniffing applications a system administrator might have set in place.

Instead of going the keyloggers’ paths, Bankers would rather perform one of the two types of attack called “Man-in-the-Browser” and browser hijacking. The former type of invasion is fairly new on the malware market and relies on transparently seizing and modifying the HTML contents sent from a legitimate web server prior to displaying it in the browser’s window. This way, the user would have no reason to doubt that what they actually see has been sent by the bank’s web server.

The latter is pretty old and relies on the same principle of intercepting and manipulating calls between server and client, but it lacks the necessary means to succeed if the remote server is using other authentication factors except for username and password.

Basically, in order to fool the user into disclosing their username and password for the online banking application, the locally installed Banker Trojan would either pick up the login credentials directly from the internet banking login form as the user types them in, or it would draw a fake e-banking login form on top of the bank’s genuine one. It is a fool-proof approach that is likely to trick even experienced users into disclosing their login credentials.

 The only drawback in the way Banker Trojans are conceived to work is the pretty bulky size of the application itself, which may range from 100KB to more than 0.5 MB per file. However, if this significant download would raise suspicion of a dial-up Internet subscriber, it won’t pose any questions to broadband subscribers.

In order to stay safe, BitDefender® recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.