|
|
03-04-2008, 07:01 AM
|
#1 |
|
Guest
Posts: n/a
|
Banking Trojan
Unusual banking trojan found today (April 1, 2008)
We've seen tons of banking trojans lately, but now we've run into something quite unique. This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic. Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world. Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim. Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts. The drive-by-download site is still up. Normally, we wouldn't list the URL for such a site, or we would at least obfuscate it in a screenshot. However this time we'll make an exception. We will even make the link clickable: http://aprilbanking.cjb.net/ http://www.f-secure.com/weblog/archives/00001411.html Enjoy :-) |
|
|
03-04-2008, 07:01 AM
|
#2 |
|
Guest
Posts: n/a
|
Re: Banking Trojan
From: "Andy Walker" <awalker@nspank.invalid>
| Unusual banking trojan found today (April 1, 2008) | | We've seen tons of banking trojans lately, but now we've run into | something quite unique. | | This new banking trojan was found today from a drive-by-download site. | We've added detection for it as Win32.Pril.A | | It not only infects the MBR of the machine, but also reflashes the | boot code in the Flash BIOS, making disinfection problematic. | | Once an infected machine is online, the trojan monitors the users | actions, waiting him to go to go to one of several hundred online | banks, located all over the world. | | Once the user has logged on, the banking trojan uses PCMCIA to inject | code into the VGA! As an end result, the trojan creates a | man-in-the-browser attack against the victim. | | Now, the really surprising part is what the trojan does. Normal | banking trojans would insert extra transactions or change the deposit | account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw | money from you - it actually inserts money TO your account. This | looked so weird we had to test it several times, on all of our | accounts. | | The drive-by-download site is still up. Normally, we wouldn't list the | URL for such a site, or we would at least obfuscate it in a | screenshot. However this time we'll make an exception. We will even | make the link clickable: http://aprilbanking.cjb.net/ | | http://www.f-secure.com/weblog/archives/00001411.html | | Enjoy :-) | F-Secure humour... "...the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim." Here's another... "New Sophos facial recognition technology uses webcams to stop hackers and virus writers in their tracks" http://www.sophos.com/pressoffice/ne.../04/rapil.html -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
|
|
04-04-2008, 02:08 AM
|
#3 |
|
Guest
Posts: n/a
|
Re: Banking Trojan
Pril.A rather gives the game away don't you think?
Q |
|
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
