Banker Trojans are rife and popular with the ‘easy money’ crowd of malware authors, though stealing banking information is not without its hazards. It takes a very smart (or a very stupid) person to pull off such a caper without falling within reach of the long arm of the law.
Today a piece of malware (Troj/Bancos-BDF) crossed my desk that at first did not look like a Banker Trojan at all. It eventually turned out to be one of the most nefarious and brazen Banker Trojans I have ever analysed and it managed to do it all with only one small snippet of code. What it did, was add 8 hostnames to the local Windows HOSTS file. That’s it.
The HOSTS files is a place where Windows looks when it wants to resolve a host name to an IP address. Usually this is handled by your ISP’s DNS servers but if Windows finds a matching entry in the HOSTS file it doesn’t bother looking any further. Now this has many uses but in this case all of the host names belonged to a single South American banking institution and all of them redirected to a single IP address.
So what? That doesn’t sound so dastardly does it? Think again.
What this means for anyone infected by this particular Trojan is that any and all attempts to visit the website of the target bank, including logging in to check your balance, viewing the bank homepage and even email correspondence will be re-routed to the assailants IP address. This would give the attacker all the information he needs and by duplicating the banks stationary and email signatures he could wreak untold damage to unassuming victims.
This is by far the most effective man in the middle attack I have evidence of to date and something to think carefully about.
My advice? If you are unsure about the validity of the website, or your banks email correspondence pick up a telephone and give them a call. Oh.. and use Sophos.