Oct 22, 2010 10:48 GMT  ·  By

Security researchers from FireEye have identified a new banking trojan, which is capable of launching man-in-the-browser (MITB) attacks and targets an unusually high number of financial institutions.

Dubbed Feodo by the security vendor, the malware is similar in concept and features to other banking trojans like ZeuS, SpyEye, Bugat or Carberp.

The threat steals online banking credentials and other sensitive information by intercepting data inputted into Web forms, as well as injecting rogue HTML elements into pages.

"I can see that the bot herders are instructing its zombies to target over a dozen banks. This is a huge list, I rarely see even bot herders behind Zbot targeting so many banks," Atif Mushtaq, a security research engineer at FireEye, says.

The expert also notes, that unlike Zbot or SpyEye, Feodo is not the result of a crimeware toolkit sold on the underground market and that it most likely belongs to a single gang.

As of two days ago, only two antivirus engines on VirusTotal detected the threat as malicious. However, VirusTotal only performs signature-based scans and more pro-active protection layers present in many products might actually block it.

It's worth noting that the trojan doesn't only target banks, but also services like PayPal, Amazon, Myspace or Gmail.

Feodo hooks into the browser process and monitors accessed URLs. If any of them matches a regular expression from its config file, it starts capturing form data and submits to its command and control server.

The trojan can also inject rogue form fields in order to trick users into providing more information than is normally required.

Another feature involves stealing entire HTML pages during the browsing sessions. This allows the attackers to know how various online banking systems inside, without having to open accounts with each of the banks.

Mr. Mushtaq points out that while Feodo doesn't trump other banking trojans in capabilities, its private nature presents other advantages.

"Unlike Zbot which has become a victim of its own success, this malware can fly under the radar for a long time. If the attackers want a new feature, they don't need to wait for a new toolkit version, a change can be made right away," he explains.