2 New Malware Threats IdentifiedStealth of Tinba Trojan, DroidCleaner Alarms Researchers
The sophistication of two newly identified malware strains reveals just how stealthy these attacks are becoming. And security experts who discovered these strains say detection is proving increasingly challenging.
Researchers at Trusteer in early January discovered a new malware variant that compromises online browsing sessions by injecting fake Web pages. So far, one leading bank and a handful of non-financial websites have been affected, and Trusteer expects the Trojan to spread.
Additionally, Kaspersky Lab has identified a malicious mobile application that hijacks the SMS/text feature on Google Android smart phones and could potentially pose new risks for mobile banking users. The app, known as DroidCleaner, was discovered in the Google Play app store.
In light of new malware threats, experts say banking institutions must ramp up fraud detection and prevention. Ensuring end-users have anti-virus software on their PCs and mobile devices should be a given, but banking institutions have to go a step beyond these measures, says Trusteer researcher Etay Maor.
"It's good to know [through detection] that the user is infected, but that's not enough," he says. "You need to know if [online] credentials are being used from a different IP or computer, and you need to detect anomalous behavior. You have to have all of that information tied together."
Real-time, cross-channel fraud detection is a necessity, Maor stresses.
Enhanced Banking Trojan
Trusteer researcher Amit Klein blogged on Feb. 7 about enhancements hackers have made to Tinba - a banking Trojan that began hitting underground forums about eight months ago.
This new version of Tinba has the ability to get around conventional fraud-detection methods, such as those outlined in the Federal Financial Institutions Examination Council's updated authentication guidance, that many banking institutions rely on, Trusteer notes.
A new version of Tinba, Tinba v2, was discovered in early January by Trusteer after one of its bank customers was targeted. Trusteer would not offer details about the bank that was hit, but analysis of the attack revealed Tinba had been enhanced to not only avoid detection, but also compromise two-factor authentication.
"When the customer accesses the bank's website, the malware presents a completely fake web page that looks like the bank login page," Klein says.
Once the user enters his login and password on the fake page, the malware triggers an error message and then sends the online banking credentials to the hacker, Klein says.
Any second-factor verification codes or tokens entered for authentication during the faux session also are compromised.
"Using this tactic, the malware never lets the customer reach the bank's login page, which prevents backend security systems from being able to detect malware anomalies in the session," Klein says.
The first version of Tinba monitored, in real-time, online sessions between users and their banking institution, Maor says. Once the user logged into the account, Tinba attacked in the background, allowing hackers to transfer funds or add new payees without the user's knowledge.
Banking institutions responded by deploying layered monitoring controls for online sessions, he says. But because Tinba v2 prevents the user from accessing the actual online-banking page, defenses built for the bank's site have no effect.
"As soon as you enter the URL for the bank's site, there is a trigger that communicates with command and control," Maor says. "Then Tinba injects a full Web page, and it's very different from other HTML injects we've seen before. The user interacts with this new page and not the bank's page. So even if the bank has a layer to address a compromise of credentials on its site, it won't catch this."
In addition to the increasing sophistication, what's most concerning is how quickly hackers are developing and releasing malware enhancements, he adds. "We're seeing rapid response from the Trojan authors," Maor says.
The new version of Tinba has been designed to support strikes waged in the Google Chrome browser as well as Internet Explorer and Firefox.
DroidCleaner for Mobile
Identified Jan. 22 in the Google Play mobile application store by researchers at Kaspersky Lab, DroidCleaner is marketed by attackers as an app that can free memory on Google's operating system.
The malware takes aim at Android smart phones, as well as PCs. DroidCleaner compromises a mobile device's SD card and contacts list and can even send, delete and upload SMS/text messages. Once a user connects an infected device to a PC, DroidCleaner infects the computer and hijacks the system's microphone for eavesdropping.
"The most concerning thing is the fact that bad guys are using the infected smart phones as a new attack vector, aiming to infect the PC," says Kaspersky researcher Fabio Assolini. "This is a completely new behavior on malicious Droid apps."
The malware's ability to record audio from an infected PC means anytime the PC's microphone is activated, every sound could be recorded, Assolini says. DroidCleaner, however, is not a malware designed specifically for attacks against online-banking.
But the malware has the ability to compromise SMS/texting features often used for out-of-band authentication or verification of online-banking transactions. And any attack against a mobile platform, especially one that can hijack SMS/texting services, poses a risk, Assolini says.
"Online banking using mobile devices is targeted by other known malicious viruses, such as Zeus, SpyEye and Carberp," he says. "The attacks on the Android platform are very common, but with different goals. [This is why] we advise all users to maintain an AV on their device."
PCs running older versions of the Microsoft Windows operating systems are vulnerable, Kaspersky researchers point out. The function that automatically allowed the malware to be installed has been disabled on current versions, they note. So the PC piece of the attack is aimed only at users using older versions of Windows.
Google has removed DroidCleaner from its Play store, but Assolini says the malicious app could be published in other Droid app markets.
"It isn't possible for us to check how many users installed it and where all the users that installed it are located," he says. "But it's common among bad guys to repackage it, change the name and publish it on alternative Droid markets. For this reason, it is wise to only download apps from the official store, as Google acts quickly to remove malicious apps when identified."
And it's not just Android devices that are at risk, says Alphonse Pascual, a financial security and fraud analyst with consultancy Javelin Strategy & Research. Mobile malware is growing exponentially, he says.
"What that means from a security standpoint is that while Android presents a larger target profile, iPhone users should be a high-profile concern because they represent a substantial portion of the mobile payment volume," Pascual says.
Tackling the Malware Life Cycle
Banking institutions currently are able detect some of these emerging and sophisticated strains of banking malware, such as Tinba, but they must have a full transaction and online-account picture, Maor says.
When it comes to DroidCleaner, the best defense is a mobile anti-virus product, Assolini says. Although DroidCleaner is not designed to hijack online banking credentials, it could be used to access sensitive information that ultimately leads to an account takeover, he says.
"The malware has the ability to record audio from infected PC," Assolini says. "This malicious behavior is common in several Windows malware families, used specially to spy on victims."
To defend against these malware attacks, Trusteer and Kaspersky recommend banking institutions:
- Offer malware-detection software to customers for PCs as well as mobile devices;
- Encourage all online-banking and mobile-banking users to regular update their AV software; and
- Incorporate device identification and anomaly detection into the overall user/account behavior profile.
"We've partnered with McAfee to begin offering a first-gen mobile anti-virus solution to address the needs we see among our customers," he told BankInfoSecurity last month.
Growing Malware Threats
New malware releases have become commonplace, especially strains aimed at compromising online-banking accounts.
Gozi-Prinimalka was identified last October by researchers at RSA. This sophisticated Trojan has been promoted in underground forums as being behind an expected spring attack to be aimed at 30 U.S. banking institutions.
But researchers say activity around Prinimalka has stalled recently, and the recent indictments of Gozi's original developers may have encouraged attackers to call off their planned attacks (see Did Feds Defuse Blitzkrieg on Banks?).
Citadel, which debuted in underground forums in January 2012, is another banking Trojan for which cybersecurity experts have warned institutions to brace.
An advanced variant of Zeus, Citadel is a keylogger that steals online-banking credentials by capturing keystrokes. Fraudsters then use stolen login IDs and passwords to access online accounts, take them over and schedule fraudulent transactions.
And then there's Eurograbber, a Trojan identified in August by Versafe. This Trojan is being used in multistaged attacks that successfully compromise desktops and mobile devices. The sophistication of the Eurograbber attack is what's most concerning, says Darrell Burkey, who oversees intrusion prevention products at Check Point Software Technologies. The attack, which specifically targeted dual-factor authentication that relies on the texting of one-time passcodes to mobile devices, proves Eurograbber's designers had an in-depth understanding of how online banking systems work.