The Trojan Money Spinner
How do they know when the user has gone to a site?
As said, banking trojans filter out useless data – or more precisely, they only capture interesting data from banking activity. This means that the trojan has to know when the user is banking online. It is very common for the trojan only to monitor what the web browser is doing and where it is going. Banking trojans today use the following means of determining where the user is surfing:
- Hooking (e.g. inline hooks on WinInet API functions)
- BHO (Browser Helper Object) interface [4]
- Window title enumeration (e.g. FindWindow() [5])
- DDE [6]
- Other COM (Component Object Model) / OLE (Object Linking and Embedding) interfaces
- Firefox browser extensions
- LSP (Layered Service Provider) interface [7]
As a fairly conventional example, Banker.ark [8] steals logon credentials related to some Brazilian banks by logging keystrokes when the internet browser title bar contains a string that is on its filter list.
How do trojans spy on the data?
After the trojan has determined that the user is accessing a banking site, it tries to capture the user’s credentials or his authenticated banking session. Trojans use the following techniques:
- Form grabbing
- Screenshots and video capture
- Keylogging
- Injection of fraudulent pages or form fields
- Pharming
- Man-in-the-middle attacks
As an example of the HTML injection techniques, some banking trojans monitor the sites a user accesses and then display fraudulent web pages when they see that the user has entered an interesting site. One such trojan is Sinowal.cp [9], discovered in March 2007. When Sinowal is activated on a compromised system, it contacts a control server controlled by the attacker. The server provides a list of banking sites the trojan then starts monitoring. When a monitored site is hit, the trojan displays fraudulent web pages delivered from the control server instead of the real bank pages.
Download file here
