Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

December 5th, 2008

Trusteer launches search engine for malware configuration files

Posted by Dancho Danchev @ 7:37 am

Categories: Anti Virus, Botnets, Browsers, Complex Attacks, Hackers, Malware, Passwords, Privacy

Tags: Trusteer, Banker Malware, Crimeware, Zeus, Zbot, Wsnpoem, SilentBanker, Dancho Danchev

Trusteer’s recently launched “Attack Trace” search engine aims to help financial institution by letting them search through the configuration files of popular banker malware SilentBanker, WSNPOEM/Zeus/PRG/Zbot and Torpig in order for them to verify whether or not their sites are targeted. And while the search engine is a marketable way to initiate a response channel, it doesn’t take into consideration a simple fact - that modern banker malware is no longer exclusively targeting a particular E-banking site, but is targeting all of them simultaneously.

“The Trusteer Attack Trace search engine allows IT professionals to submit their organization’s web address and see a list of malware configuration files that are designed to commit fraud against their brand. By typing their URL address into the Attack Trace search engine, users get a glimpse into the cross section of malware that is specifically aimed at their website and what the code is written to accomplish. The Trusteer Attack Trace search engine searches for leading Trojans and other attack codes including Torpig/Sinowal, WSNPOEM, and NetHell.”

Doing a basic search for https sites, you’ll notice the obvious fact that the majority of popular E-banking and online payment services are well researched, and already targeted. The mindset of the crimeware author is fairly simple and that’s what makes it so dangerous since it relies on two key objectives - scalability and efficiency. Due to the modular nature of modern crimeware, as well as the fact that its open source, the original author or the crimeware kit’s users are capable of writing their own “injects” which basically represent researched session activities at targeted financial institutions, thereby making the process of hijacking it efficient.

If financial institutions really want to find out whether they’re targeted by modern banker malware, they should automatically assume so without any hesitation.

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.