Details of the URLZone trojan, which not only retrieves banking credentials but also steals money from compromised accounts, were revealed in the third issue of Finjan's 2009 Cybercrime Intelligence Report, released Wednesday.
Other notorious banking trojans, such as Zbot, just aim to steal credentials, which later are used by attackers to log into a victim's account to steal money.
But with URLZone, the transaction takes place from an infected user's machine, Ben-Itzhak said. In addition, the trojan was crafted to include several sophisticated features that help attackers avoid detection from anti-fraud systems and victims.The trojan began propagating in mid-August, according to Finjan. The malware writers used a software tool known as LuckySploit, available on hacking forums for $100 to $300, to inject vulnerable legitimate websites with malicious code that aims to install the trojan onto users' computers.
Once a user was infected, the trojan received instructions from the attackers command-and-control server, hosted in Ukraine, to steal a certain amount of money from the victim's bank account and transfer it to the account of a so-called “money mule.”
Money mules are individuals who have been unwittingly hired by cybercriminals under the guise of work-at-home schemes. They are tasked with transferring the stolen money, after a deduction of their own commission, into a bank account provided by the attacker.Attackers also sent instructions to the trojan to ensure that the amount of money stolen did not deplete the victim's account and that a random amount is stolen each transaction, indicating attackers had an understanding of banking anti-fraud systems, which are designed to detect unusual transactions.