Although it has yet to be discovered in the wild, researchers have uncovered a sneaky piece of financial malware, known as i2Ninja, being sold on a Russian cyber crime forum.
The peer-to-peer trojan – which can be used to steal credit card and other financial information – is likely to infect systems via drive-by infection, fake advertisements and bogus links, Etay Maor, fraud prevention solutions manager at Trusteer, told SCMagazine.com on Wednesday. He added that specific targets may also be infected through spear phishing.
“While the malware offers different HTML injection capabilities [targeting poker sites and grabbing email], it will also soon offer a virtual network computing (VNC) module just like all other major malware families,” Maor said, using trojan variants such as Zeus, Citadel and SpyEye as examples. “Once a VNC capable malware infects a device, the attacker's options are almost limitless.”
The i2Ninja malware takes its name from I2P, a layer of networking similar to Tor that uses cryptography to provide secure communications. Maor said I2P is a “true Darknet” that offers better protection than Tor, and explained how the added security layer makes it more difficult to research and understand the malware's infrastructure and capabilities.
However, Maor said he still thinks it is only a matter of time before the I2P encryption is broken – similar to how the FBI made a big arrest on Tor in August by exploiting a Firefox vulnerability – and added that the attackers using i2Ninja likely understand this, as well.
It is unclear just how much of a threat i2Ninja represents right now, Maor said, but the malware seems to be in high demand.
“The cyber criminal offering the malware in the underground indicated he has enough business due to the malware's underground publicity and indicated he cannot handle more requests to buy the malware,” Maor said. “The cyber criminal who posted the information regarding i2Ninja is a known and credible forum member.”
Although Trusteer researchers are still investigating i2Ninja, Maor advises using software capable of identifying such malware on the endpoint, combined with web-based solutions capable of identifying incoming infected devices and correlating high risk events to defend against it.