A banking trojan designed to intercept Australian customers' security details has been discovered which can circumvent two-factor authentication and will force-feed 600 porn sites to infected PCs, according to security researchers.
The trojan, which installs itself as a .midi music player driver on Windows systems, not only steals passwords, session cookies and digital certificates, but also directs infected computers to over 600 porn Web site URLs, which the attackers use to generate extra income.
"The scale and sophistication of this emerging banking trojan is worrying, even for someone who sees banking trojans on a daily basis," said Symantec security researcher, Liam OMurchu, on Symantec's blog.
The trojan is targeting customers of 400 banks around the world, including banks from Turkey, the United States, Europe and several banks from Australia, John McDonald, senior security response manager for Symantec told ZDNet Australia.
"But it's not just about these banks. The configuration information can be updated anytime, which means that at any time, banks can be added or dropped from that list," he told ZDNet Australia.
Because the bank's real Web page is presented to the user, OMurchu fears that customers equipped with a second-factor one-time password--delivered by SMS or security "dongles", which generate random authentication codes every few seconds--will not suspect anything and then enter their second-factor code, unwittingly giving the attacker their money.
"The ability of this trojan to perform man-in-the-middle (MITM) attacks on valid transactions is what is most worrying. The trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead," said OMurchu.
However, National Australia Bank's general manager of technology, risk and security, Gary Blair, has previously said that MITM attacks are impossible where an SMS two-factor authentication system is used. NAB offers its customers one-time user passwords sent by SMS at the time of a customer making a transaction. But according to Symantec's McDonald, this trojan can beat even that authentication system.
"I don't believe it matters where passwords [are] delivered from, [the password] still must be entered on the Web page so it wouldn't matter how it was sent--they still have to enter the password to the online banking form and that's where it is intercepted," said Symantec's McDonald.
One variant of this trojan also changes a PC's domain name server (DNS) settings to redirect browsers to attacker-controlled servers.
"This feature could also mean that if the trojan is removed but the DNS settings are left unchanged then the user may still be at risk," said OMurchu.
A similar trojan that was targeting Commonwealth Bank customers was discovered in November last year, however this trojan is even more advanced, according F-Secure threat response manager, Patrik Runald, who discovered the older trojan.
"That older banking trojan only replaced the content of the login page whereas this one can change transactions in real-time," Runald told ZDNet Australia.
"We've seen this before though so this is not the first trojan that can do this but it is worrying that we're seeing more of them that can do this," he added.
Play video
» Achieve enhanced server performance with energy-efficient blade technology
This problem was anticipated by the cellular industry as a risk factor for financial and social networking environments. Deploying trojans into the packet data networks is on the rise and is a powerful method of infiltration. Additionally, the industry is also seeing OS attacks on relevant smart phone operating systems such as Symbian. It appears the more complicated the solution for protection the easier it is for the attackers to find insertion. The industry needs to focus on structurally separate methodology for authentication. Utilizing the cellular voice network to send a two factor authentication call to a cell phone, that required a PIN, would be able to interupt theft if a PIN were not inserted, and provide a barrier for a safe authentication. From there, fraud alerts could be initiated and system level policy based action taken to shut off activity.
Look at Phonefactor.net for an interesting solution in this space, purpose built to solve this problem.
Klint Borozan
SVP Positive Networks, Inc.
Posted by Klint Borozan on Thursday, January 24 2008 12:16 AM