Single-use passwords aren't safe...
Published: 27 March 2006 08:41 GMT
Two Trojan horses with distinctive traits have been flagged by security researchers: one that hijacks one-time-use passwords, and another that hides behind a rootkit.
The unrelated malicious programs, reported last week by security companies, represent new twists thought up by hackers in their development of Trojan horses, which are harmful programs disguised to look like innocent software.
Banks in Germany, Spain and the UK have been targeted by MetaFisher, otherwise known as Spy-Agent and PWS. After infecting a computer, the Trojan horse waits until the user visits a legitimate bank website, then injects malicious HTML into certain fields there. The program then hijacks one-time-use PINs and transaction numbers as the person enters them into the fields.
As a result, those one-time PINs and transaction numbers are never logged onto the website and they remain valid, said Ramses Martinez, a director at security company iDefense. The intruders then probably store the data either for their own use or sell it on to others, he added.
The attackers attempt to place the Trojan on a computer using an exploit for the Windows Meta File flaw in Microsoft's Internet Explorer, according to a Symantec advisory.
The potential victim must visit a malicious website to infect their system, and attackers may use emails to direct them there. A keylogger, which surreptitiously records the user's keystrokes, is installed on the computer alongside the Trojan.
Sana Labs discovered the other Trojan, which is distributed alongside a rootkit that hides it. The malicious software spreads via the Alcra worm, which directs infected Microsoft Windows PCs to websites where the programs are downloaded, Sana said.
The Trojan is able to unearth passwords and usernames used previously on a machine and does not have to track keystrokes, according to Sana. The security company said it has discovered 37,000 usernames and passwords, the majority for social networking websites, on log files in 7,000 locations.
Once the malicious software is loaded onto a PC, it communicates with a Russian web server, which stores the usernames and passwords gleaned by the Trojan.
Sana said the Trojan is well hidden by the kernel-level rootkit and that because of this, some antivirus programs may have difficulty detecting it. The company said, as of last Monday, only five security applications - eTrust-Vet, NOD32 version 2, Sophos, UNA and VBA32 - were able to detect the threat.
Dawn Kawamoto writes for CNET News.com
Photos: Inside the RSA cybercrime war room
Legal Eye: Does Home Office online surveillance go too far? Photos: How computing cracks terrorist networks Photos: McKinnon "distraught" says family Analysis: A globetrotter's guide to cyber crime Opinion: What's the point of security? Analysis: How to catch a cyber criminal? Do it yourself
Analysis: What's the next malware threat?
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
