Security researchers from Symantec warn of a new banking trojan capable of hijacking the SSL connections between browsers and online banking sites in a way that is hard to spot.
Variants of this malware, which Symantec detects as Trojan.Tatanarg, have been in circulation since last October, but its code is believed to be based on an older threat called W32.Spamuzle.
The trojan has a modular architecture, with separate components handling different tasks, and the functionality of most banking malware.
It can inject rogue HTML code into pages (man-in-the-browser attacks), disrupt antivirus software, uninstall other banking trojans and enable Windows remote access.
It also features a backdoor component through which attackers can issue commands to control the infected computers.
However, the most interesting functionality of this trojan is its ability to function as a proxy between browsers and SSL-secured websites.
This is achived by hijacking the legit SSL connection and establishing a new one on the browser end using a self-signed certificate.
Alerts are blocked and exceptions are added automatically in the browser making the attack almost transparent to users.
The HTTPS prefix is present, as is the padlock indicating a SSL connection. The only way for the user to realize he's not using his bank's certificate would be to manually check the issuer.
Tatanarg is one of several banking trojans that appeared since the crackdown on ZeuS-based cyberfraud operations last year. It seems that unhappy with the heat, criminal gangs have begun developing their own custom malware.
They also try to come up with innovative attack methods. Just last week, Trusteer reported about a trojan dubbed OddJob which forces browsers to keep sessions open after users think they successfuly logged out.
Users are advised to always keep their antivirus programs up to date to ensure they have the latest protection available. Also, if possible, online banking should be performed from a dedicated computer or a live cd.
Variants of this malware, which Symantec detects as Trojan.Tatanarg, have been in circulation since last October, but its code is believed to be based on an older threat called W32.Spamuzle.
The trojan has a modular architecture, with separate components handling different tasks, and the functionality of most banking malware.
It can inject rogue HTML code into pages (man-in-the-browser attacks), disrupt antivirus software, uninstall other banking trojans and enable Windows remote access.
It also features a backdoor component through which attackers can issue commands to control the infected computers.
However, the most interesting functionality of this trojan is its ability to function as a proxy between browsers and SSL-secured websites.
This is achived by hijacking the legit SSL connection and establishing a new one on the browser end using a self-signed certificate.
Alerts are blocked and exceptions are added automatically in the browser making the attack almost transparent to users.
The HTTPS prefix is present, as is the padlock indicating a SSL connection. The only way for the user to realize he's not using his bank's certificate would be to manually check the issuer.
Tatanarg is one of several banking trojans that appeared since the crackdown on ZeuS-based cyberfraud operations last year. It seems that unhappy with the heat, criminal gangs have begun developing their own custom malware.
They also try to come up with innovative attack methods. Just last week, Trusteer reported about a trojan dubbed OddJob which forces browsers to keep sessions open after users think they successfuly logged out.
Users are advised to always keep their antivirus programs up to date to ensure they have the latest protection available. Also, if possible, online banking should be performed from a dedicated computer or a live cd.