Windows malware threatens bank accounts

Trusteer identifies trojan that “morphed” into financial institutions threat

This story has been updated with new information.

Web access security provider Trusteer has identified a Microsoft Windows malware platform that it says has “morphed” into a threat that attacks North American financial institutions and their customer accounts. The trojan, dubbed “Sunspot,” has been in circulation for a while but only recently developed financial fraud capabilities, according to a blog post today by Trusteer’s Chief Technology Officer Amit Klein.

“It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real,” Klein wrote.

BACKGROUND: Researchers warn browser users over new SpyEye/ZeuS trojan

Sunspot infects computers running 32-bit or 64-bit Windows XP, Vista and 7, and infects Internet Explorer and Firefox browsers, which are the most widely used.

Sunspot is able to launch “man-in-the-browser” attacks in which the malware can see what the user is seeing when they are on a bank Web site. Sunspot can see account balances, request additional information from the user such as password, PINs or answers to secret questions. It can request payment card information and other personal information such as drivers license number, date-of-birth and so on, the latter which can all be used for identity theft. Trusteer says Sunspot can also take screenshots of the open browser as a user is typing in a password or PIN, though only if done on a virtual keyboard such as on a smartphone or tablet computer. This is similar to SpyEye/ZeuS, but those infections have, so far, seemed to plague mostly European institutions.

What I notice is that Trusteer says Sunspot can “request” this information, which is not the same as stealing that information. It’d be interesting to know if the malware’s success depends on the user actually providing -- or, more to the point, being stupid enough to provide -- that information.

UPDATE: However, a Trusteer spokesperson explained that financial services malware like Sunspot works by injecting fake Web pages into the session with the real bank site, so in making those requests, the user can be led to believe that the request is coming from the real bank. But when they surrender the information requested, it goes to the cyber criminal. Trusteer has notified its financial services customers of the threat and that its Rapport end-point security product protects against these threats.

Trusteer traced the trojan to Russia and Klein says this is how it infects your computer: “Once installed, Sunspot is started either by "rundll32.exe" via HKCU\Software\Microsoft\ Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active.”

Trusteer, which provides secure Web access, particularly for financial institution Web sites, says Sunspot is unique -- and therefore alarming -- in that it didn’t start off as a financial institution theft trojan, such as Zeus, SpyEye or Bugat, but as something more benign.

“If this is the case, we could be witnessing a sea change in malware development where general purpose and little known malware platforms are re-programmed to carry out financial fraud. This will make it even more difficult to defend against attacks since banks will be ambushed by a growing number of unique financial malware platforms,” Klein wrote.

It’s always something, isn’t it?

UPDATE 2:

Late this afternoon, Microsoft e-mailed me this comment from Pete Voss, senior response communications manager: "We recommend that any users who believe they are affected by the Sunspot Trojan visit Microsoft Security Essentials safety scanner to scan their systems to determine if they are infected, and clean all currently know variants of this trojan."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in