1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

New Banking Trojan Targets All Major Browsers

Discussion in 'Security Updates' started by starbuck, Feb 27, 2011.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Spanish security firm S21sec has identified a new banking trojan capable of injecting HTML into all popular browsers which uses a rootkit to hide its components.

    Dubbed Tatanga, the trojan is written in C++ and is organized in modules with different functionality which are decrypted in memory as needed.

    Like other banking trojans, Tatanga executes Man-in-the-Browser (MitB) attacks in order to perform unauthorized transactions from the accounts of its victims.

    The trojan currently targets banks from Western European countries, particularly the United Kingdom, Germany, Spain and Portugal.

    It currently has a very low detection rate. A signature-based Virus Total scan reveals that only 9 in 43 antivirus engines currently detect the infector as malicious and most of them do it under generic names.

    Microsoft calls it Trojan:Win32/Mariofev.B and has first added detection for it on September 03, 2010. However, the definition was updated a week ago, probably to account for new variants.

    According to S21sec researchers, the trojan comes with an email harvesting module, one that handles encrypted communication, another for the removal of competing trojans, including ZeuS, a module for blocking antivirus programs, one handling the encrypted configuration file, the HTML injector, and a file patcher whose purpose is yet to be determined.

    "The modules names ModEmailGrabber and ModMalwareRemover might have been used in a bot in 2008, so maybe this is the result of the evolution of that malware," the researchers write.

    This might explain why Microsoft calls this version Mariofev.B. The company added detection for a Trojan:Win32/Mariofev.A on Oct 07, 2008.

    The trojan talks with the command and control server via seven hardcoded websites that act as proxy, but the communication encryption is very weak.

    Tatanga hooks into explorer.exe and can inject HTML in Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Minefield (Firefox dev builds), Maxthoon, Netscape, Safari and Konqueror, basically every popular browser.

    Other noteworthy features include support for 64-bit Windows, anti-VM technology, mobile OTP phishing and Trusteer Rapport evasion.


    Source:
    http:/ ews.softpedia.com ews/New-Banking-Trojan-Targets-All-Major-Browsers-186443.shtml
     
    starbuck, Feb 27, 2011
    #1

Share This Page