PDA

View Full Version : Virus lets hackers clean out accounts



Tylerdurden
01-21-2008, 09:12 AM
Gillian Shaw, Canwest News Service

Published: Thursday, January 17, 2008
In what is being billed as one of the most sophisticated cyberattacks to hit the Internet, a virus has been released that gets between computer users and their banking websites, giving thieves free rein to drain accounts and wreak financial havoc on their victims.
Dubbed the "silentbanker," the virus is a Trojan horse that computer users can unknowingly download onto their computers by simply browsing websites.
It operates undetected, with the first sign that it is at work the possible notification from a bank that a client has been a victim of fraud.

More than 400 banks -- including some in Canada -- have been targeted worldwide by the virus, which operates in many languages, according to Symantec, a global security company that has been tracking the progress of the Trojan.
"I'd have to say it is one of the most sophisticated we have seen. What makes it more dangerous is it seems to be staffed by professional software developers," said Al Huger, vice-president of security response and services for Symantec.
"They are writing this and maintaining it just like they would a piece of software you might buy. There is a lot of money on the line for them. It is certainly organized."
Unlike conventional cyberbanking frauds, where bank clients are steered to a bogus website masquerading as their bank's online pages, in this scam, the hacker uses the genuine bank website and so is able to manipulate the user's account, steering payments into a hacker's account or cleaning out the bank funds altogether.
When a banking client signs onto his or her banking website, the hacker is a silent third party -- occasionally showing a presence by adding a new function button to the site, such as a request for additional security information -- but often remaining completely hidden and making no changes at all to the site the banking client is seeing.
All the functions, from transferring funds, to paying bills or checking credit card balances, remain the same and they continue to work, thereby giving the user no cause for suspecting the site has been compromised.
"What they are doing is they are already on your computer, and when you type on your computer, they are sitting between your keyboard and the bank," said Huger.
"They are intercepting everything you send to your bank and everything your bank sends to you. It is called a man-in-the-middle attack."
Huger said the current attack has been underway for about four days, and while he said Symantec has seen it try to infect thousands of its customers, the company's security software has stymied the attempts.
However, computer users who don't have up-to-date anti-virus security software installed, or who haven't updated their web browser to fix flaws that are allowing the Trojan to proliferate, are open to attack.
"It sits on the website and, unbeknownst to you, it downloads to your system," said Huger, who added that the hackers behind "silentbanker" are probably also trying to send the virus out via e-mail.
Huger said the download could originate from many legitimate websites.
"It is the complete gamut -- from gaming sites to porn sites to home-craft sites," he said.



http://www.canada.com/calgaryherald/news/story.html?id=7602ab59-c42c-4b76-9607-cff8c352eac0

Tanbark Spanker
01-21-2008, 01:17 PM
Oh, ...and I suppose these account cleaners will expect a tip.

Joe (SoCal)
01-21-2008, 01:22 PM
Nope :p

http://www.creativeit.tv/images/apple-powerbook-data-recovery.jpg

pcford
01-21-2008, 01:54 PM
Nope :p



Sorry fanboy:

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml

Tylerdurden
01-21-2008, 02:00 PM
They said it was the banks own website they were into, What would the brand of home PC you are using have anything to do with it?

ishmael
01-21-2008, 02:13 PM
I don't do internet commerce for just his reason. 95% of the time there's no problem, but that five percent can cause havoc. If the bank's security system is breached then all bets are off. Keep good track of your statements, and raise the alarm if something is amiss.

I think I'll go fondle my gold now. LOL.

Uncle Duke
01-21-2008, 02:26 PM
Tyler asks:

They said it was the banks own website they were into, What would the brand of home PC you are using have anything to do with it?
Here's how it works, Mark.
You foolishly open an email attachment which then installs the trojan on your computer, or you link to some nasty (purposefully infected) website which downloads the trojan on your computer.
The trojan, once installed, just sits and watches where you go on the internet. Once it sees you accessing a bank site (it apparently knows about 400 of those addresses) it starts logging your keystrokes. Those keystrokes include everything you have to type in order to access the site.
Then it sends that login information back to some central place - now the people there can log in to your bank exactly as if they are you.
Why does the type of computer matter? Because the virus has to live and operate on your computer - they are not infecting the bank web site, they are infecting your computer. So they have to create the virus for a specific operating system. In almost all cases this is Windows, since that is used on about 98% of consumer computers - that is where the most reward would be.
What makes this one slightly more interesting than the usual 'man in the middle' attack is it's ability to actually modify, on the fly, the messaging between consumer and bank if needed. Still - it is not resident on the bank website, it is still a 'man in the middle' attack, which will not be a problem to anyone running up-to-date anti-virus software.
Symantec Info here (http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html).

Uncle Duke
01-21-2008, 02:34 PM
Ish notes:

95% of the time there's no problem, but that five percent can cause havoc. If the bank's security system is breached then all bets are off.
Note, again, it is not the bank site which is breached, it is your home computer. If you run decent anti-virus stuff, and just do sensible things there is no problem
Sort of relates to your thread about the commercialization of fear, you know? Over 95% of identity theft cases turn out to be from members of your family. A large number of the rest are from 'retail' theft people - you give your card to a high-school dropout in a restaurant and he does not come back for 3 minutes, nobody thinks twice about it. In the meantime he's in the back writing down all the card information.
Very little is from buying books at Amazon.com or from doing online banking. But that is where the fear is sold.

Joe (SoCal)
01-21-2008, 02:40 PM
Well, it must be good for SOMETHING, seeing as how you can't eat it, wear it, or heat your home with it :D

Reminds me of that twilight zone episode where three guys rob a big gold depository and then hide out in a cave. One of the thief's was a scientist that put everyone in a cryogenic state for 100 years to hide out.

When they wake up one guy gets greedy and destroys the old truck and and kills one guy. Then it's just the scientist and the greedy thief walking through the desert. They are both caring big heavy back packs of gold. The scientist looses his water. Dying of thirst the greedy thief capitalizes on the scientist thirst and tells him he will share his water. One sip one bar of gold. Eventually the scientist hits the greedy thief with a bar of gold-and kills him. But the heat of the desert gets to him. He drops the bag of gold and eventually passes out on the side of the road. A couple find him and he begs them for water. He dies and the husband tells the wife he wanted to give me some gold. She's like gold ????? But gold is worthless since its been made synthetically for years.

ishmael
01-21-2008, 02:41 PM
"Note, again, it is not the bank site which is breached, it is your home computer."

Sometimes the bank is breached.

I don't buy much stuff in general, will now and then give my card number out over the phone, but never over the web. I don't do online banking or brokerage. I know it's usually safe, but I don't trust it.

Call me a troglodyte.

High C
01-21-2008, 02:44 PM
Here's Symantec's take on this one:

Trojan.Silentbanker
Risk Level 1: Very Low

Printer Friendly Page

* SUMMARY
* TECHNICAL DETAILS
* REMOVAL

Discovered: December 17, 2007
Updated: January 8, 2008 12:54:17 PM
Also Known As: Spy-Agent.cm [McAfee]
Type: Trojan
Infection Length: 54,189 bytes and 98,304 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Trojan.Silentbanker is a Trojan horse that records keystrokes, captures screen images, and steals confidential financial information to send to the remote attacker.

Protection

* Initial Rapid Release version December 17, 2007 revision 023
* Latest Rapid Release version January 10, 2008 revision 023
* Initial Daily Certified version December 17, 2007 revision 032
* Latest Daily Certified version January 15, 2008 revision 016
* Initial Weekly Certified release date December 19, 2007

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Moderate
* Removal: Easy

Damage

* Damage Level: Medium
* Payload: Records keystrokes and captures screen images
* Releases Confidential Info: Steals confidential financial information

Distribution

* Distribution Level: Low

Joe (SoCal)
01-21-2008, 02:45 PM
troglodyte :p

Joe (SoCal)
01-21-2008, 02:46 PM
tes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP



Mac Safe yet again :D

Uncle Duke
01-21-2008, 03:17 PM
Sometimes the bank is breached.
Sometimes data is stolen from banks or merchants (Discount Shoe Warehouse at least twice that I know of) internal systems, by internal personnel, and resold.
But that is NOT what the virus/trojan under discussion does. It sits between your keyboard and the Internet, pretending to be you. If you run anti-virus software and keep it updated and only do eCommerce on sites which start 'https', then you are MUCH more likely to have your card stolen by someone you know or someone you hand it to than to have it stolen online.

elf
01-21-2008, 03:24 PM
Look, guys. It's an exe file. If you can't run exe files you can't get the virus.

Macs don't run exe files.

This is very basic virusware. Mac users have always been immune to this sort of virus. No point making fun of Joe about it. He's correct about how it works, no matter how confused the original newspaper is. Even the dopes running the newspaper say that if you don't keep your virus protection up to date you're vulnerable. That's PC speak for an exe file.

Joe (SoCal)
01-21-2008, 04:19 PM
Look, guys. It's an exe file. If you can't run exe files you can't get the virus.

Macs don't run exe files.

This is very basic virusware. Mac users have always been immune to this sort of virus. No point making fun of Joe about it. He's correct about how it works, no matter how confused the original newspaper is. Even the dopes running the newspaper say that if you don't keep your virus protection up to date you're vulnerable. That's PC speak for an exe file.

EXEactly :D

Gonzalo
01-21-2008, 04:56 PM
I had an experience like Norman's, only Visa found out that a merchant's system had been breeched before anybody used my card. They canceled a block of cards as a preventative measure and sent me a new one. Once again, not a problem with e-commerce. The merchant would have my card information whether I used it at a store, ordered by phone, or ordered on-line. You'd only be safe from that type of problem if you never used a card at all but bought everything with cash or check.

George Roberts
01-21-2008, 06:16 PM
Credit card issues are very strange.

We have a set of corporate cards. There is a master number associated with the cards. The master number is a valid credit card number assigned to noone. It is stored nowhere.

Someone used the master number in Europe. It appears that numbers need not be stolen, this one could not have been stolen as it exists nowhere. Thieves often make up numbers. There are enough numbers in existence that making up a number (following certain guidelines) will more often than not produce a valid account number.

---

While MACs don't run "exe" files they do run executable files and they do run program macros and such. An "exe" file is simply a package. The bad guys know how to repackage.

Learn your computing.

Joe (SoCal)
01-21-2008, 06:18 PM
Learn your computing.

You learn cause obviously you don't know anything about macs.
:rolleyes: