“So far, this is the most sophisticated bank trojan that we have seen,” Yuval Ben-Itzhak, CTO of Finjan, told SCMagazineUS.com on Wednesday.
Details of the URLZone trojan, which not only retrieves banking credentials but also steals money from compromised accounts, were revealed in the third issue of Finjan's 2009 Cybercrime Intelligence Report, released Wednesday.
Other notorious banking trojans, such as Zbot, just aim to steal credentials, which later are used by attackers to log into a victim's account to steal money.
But with URLZone, the transaction takes place from an infected user's machine, Ben-Itzhak said. In addition, the trojan was crafted to include several sophisticated features that help attackers avoid detection from anti-fraud systems and victims.The trojan began propagating in mid-August, according to Finjan. The malware writers used a software tool known as LuckySploit, available on hacking forums for $100 to $300, to inject vulnerable legitimate websites with malicious code that aims to install the trojan onto users' computers.
The malware exploited vulnerabilities in Internet Explorer (IE) 6, IE7, IE8, Firefox and Opera, Ben-Itzhak said. Out of 90,000 individuals who visited one of the compromised sites, 6,400 were infected with the trojan -- or one out of every 14 to 15 visitors.
Once a user was infected, the trojan received instructions from the attackers command-and-control server, hosted in Ukraine, to steal a certain amount of money from the victim's bank account and transfer it to the account of a so-called “money mule.”
Money mules are individuals who have been unwittingly hired by cybercriminals under the guise of work-at-home schemes. They are tasked with transferring the stolen money, after a deduction of their own commission, into a bank account provided by the attacker.Attackers also sent instructions to the trojan to ensure that the amount of money stolen did not deplete the victim's account and that a random amount is stolen each transaction, indicating attackers had an understanding of banking anti-fraud systems, which are designed to detect unusual transactions.
In an even more sophisticated ploy, the trojan altered the victim's online banking page to change the amount of the transfer to a smaller number. In one transaction, the cybercriminals stole more than $8,000, but to the victim, it appeared like a $53 transaction.
Finjan discovered the hub used in the attack on Aug. 24, and it is no longer running, Ben-Itzhak said. German law enforcement was notified.