[Malware Review] Spying Trojans Equal Financial Loss

Smile, you

If home is where heart is, malware is definitely present where the bulk of the money is. That’s why e-banking users have traditionally been some of the most frequently targeted niches of computer users.

Trojan.Spy.Ursnif.Fis just one of the many sophisticated money grabbing instruments – it is designed to stealthily poke into the e-banking account and report back to the base. Here’s an in-depth overview on how it is designed to work:

As a true member of the backdoor family, Trojan.Spy.Ursnif first of all tries to identify which is the default browser on the system, as well as to find out which functions are used by the browser for sending and displaying the data. It usually hooks functions such as InternetReadFile, InternetWriteFile, CreateProcess or HttpSendRequest in order to intercept browser traffic, but also injects itself into iexplore.exe or firefox.exe.

Next on, Trojan.Spy.Ursnif.F iterates through the processes running on the victim machine, connects to a remote server that resolves by a multitude of hostnames and sends a GET request.

Should this request succeed, the connection is established and the malware is thus in control of the user’s computer which means it is ready to receive and execute certain commands, such as downloading an infected file, running it and then rebooting the operating system. Not only that the user can’t restrict this behavior, but they aren’t even aware of what happens behind the curtains.

The Trojan is also able to clear cookies for the default browser and to take screenshot, a useful approach to force the user re-enter the username and password for the e-banking service, rather than relying on the autocomplete feature.

Trojan.Spy.Ursnif further downloads an encrypted buffer to a memory location, which is actually a list of bank websites URLs, as well as some JavaScript code that is used to steal passwords, user names and  personal identification numbers the user may enter for the marked websites.

At this point, all should be in place. The Trojan has only one more task left: to wait for the user to log into his/her accounts so as to steal the login credentials and send them to a remote server. Trojan.Spy.Ursnif also takes screenshots of the user logging in those bank websites and sends them to the attacker.

Although now it has become commoditized, e-banking is a serious business, which may bring you serious damage if done improperly. Fortunately, it’s extremely easy to stay on the safe side of the tracks, and here are some tips on how to avoid becoming a victim:

·         Use an antivirus. This is the easiest way to get full protection.

·         Never log-in from computers that do not belong to you or from those that are used by more users. However, if you really need to use a shared computer, run a 60-second Quick Scan to see if it is infected. If the scan result is positive, do not take any chances. Just postpone this until later or use an alternative device (say your mobile phone or PDA).

Technical information in this article is available courtesy of BitDefender Malware Researcher Cristina Vatamanu.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.