Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

February 26th, 2011, 08:30 GMT · By

New Banking Trojan Targets All Major Browsers

SHARE:

Adjust text size:


New banking trojans uses rootkit component to hide itself
Enlarge picture
Spanish security firm S21sec has identified a new banking trojan capable of injecting HTML into all popular browsers which uses a rootkit to hide its components.

Dubbed Tatanga, the trojan is written in C++ and is organized in modules with different functionality which are decrypted in memory as needed.

Like other banking trojans, Tatanga executes Man-in-the-Browser (MitB) attacks in order to perform unauthorized transactions from the accounts of its victims.

The trojan currently targets banks from Western European countries, particularly the United Kingdom, Germany, Spain and Portugal.

It currently has a very low detection rate. A signature-based Virus Total scan reveals that only 9 in 43 antivirus engines currently detect the infector as malicious and most of them do it under generic names.

Microsoft calls it Trojan:Win32/Mariofev.B and has first added detection for it on September 03, 2010. However, the definition was updated a week ago, probably to account for new variants.

According to S21sec researchers, the trojan comes with an email harvesting module, one that handles encrypted communication, another for the removal of competing trojans, including ZeuS, a module for blocking antivirus programs, one handling the encrypted configuration file, the HTML injector, and a file patcher whose purpose is yet to be determined.

"The modules names ModEmailGrabber and ModMalwareRemover might have been used in a bot in 2008, so maybe this is the result of the evolution of that malware," the researchers write.

This might explain why Microsoft calls this version Mariofev.B. The company added detection for a Trojan:Win32/Mariofev.A on Oct 07, 2008.

The trojan talks with the command and control server via seven hardcoded websites that act as proxy, but the communication encryption is very weak.

Tatanga hooks into explorer.exe and can inject HTML in Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Minefield (Firefox dev builds), Maxthoon, Netscape, Safari and Konqueror, basically every popular browser.

Other noteworthy features include support for 64-bit Windows, anti-VM technology, mobile OTP phishing and Trusteer Rapport evasion.

TELL US WHAT YOU THINK:

2,692 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


New Session-Stealing Banking Trojan Identified
RSA Researchers Confirm ZeuS Code and Features in SpyEye
Up-and-Coming Banking Trojan Gets Revamped

READER COMMENTS:


Comment #1 by: nick on 27 Feb 2011, 20:21 UTC reply to this comment

Try to search for the developers, and don't put them on jail, rather make them as a shield for other bank trojans.

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use