For too long now the perpetrators of malware have been getting away with targeting our banking sector and each time we think we are getting somewhere they seem to be one step ahead while gradually raising the bar in this arms race.
On Friday, my team at TrustDefender Labs
released a report on one of the nastiest pieces of malware which has just become even nastier. Now you may think that some of the older malware is bad enough, the bad guys have released a new version of one of the most highly successful e-banking Trojans
but this time with major enhancements. And the 'bad news' is that they changed the lot!
Basically, these guys have been busy over the last few months with a new version of Mebroot/Sinowal/Torpiq that performs the same tasks and does the same badness as the previous versions (for more information see www.trustdefender.com/blog),
however the big difference is that this Trojan is hiding in the system with improved stealthiness than ever before, to make sure:
1. it can infect your system without you knowing
2. collect as much information as possible and
3. stay there undetected as long as possible
To reiterate in plain English: Everything that was previously written on how to detect Mebroot/Sinowal/Torpiq is now invalid and doesn’t apply anymore… No rg4sfay file in Windows\temp anymore, no reference to \!win$… No detection with GMER’s special mbr.exe
program and GMER itself only lists a couple of detached threads… Nothing really suspicious…
The troubling issue is that the research team found this new version and noted it has the most exhaustive list of banking and broking websites they have seen – with virtually all major financial institutions in UK, Australia, USA, Spain, Italy, Germany and
more. But interestingly, more and more non-bank websites are part of this list, like partycashier.com (the online payment from a popular poker site) and government sites like pay.gov (electronic payments to the US Govt).
The challenge now for the 'good guys', when will they catch up and can they stop this nasty e-banking Trojan?