Non-financial malware is being repurposed for fraud

SECURITY EXPERTS AT TRUSTEER are warning users about a computer trojan that has been retrofitted with components that steal banking details.

Dubbed Shylock, this threat has existed for some time, but in a simpler form that served traditional cybercriminal purposes. The new variant has financial fraud capabilities and its components differ significantly from those of similar trojans.

For one, Shylock uses an improved method of injecting code into browser processes. This technique is normally used to insert rogue fields into legitimate forms with the purpose of stealing financial data.

For example, after logging into their online banking web site, users whose computers are infected with this threat might be prompted to confirm their credit card details including PIN and CVV2 number. This form is generated by the trojan and sends the information back to its creators.

Shylock also employs better detection evasion techniques than similar threats and features a sophisticated watchdog service that prevents its removal. If some of its components are deleted by security software, this service restores them.

"As with all financial fraud toolkits, Shylock's detection rate among anti-malware solutions and fraud detection systems is extremely low," warns Trusteer CTO Amit Klein.

"The ability of cyber criminals to develop, distribute, and operate new tools under the radar of the industry is troubling. Enterprises and individuals continue to rely on security architectures that were designed 20 years ago and have limited value in protecting their critical assets against cybercrime attacks," he adds.

Shylock is not the first piece of malware to be repurposed for financial fraud. A few weeks ago Trusteer researchers identified a new version of a file infector called Ramnit that exhibited similar characteristics.

There is a strong evidence that Ramnit's authors incorporated financial fraud components from Zeus, the infamous banking trojan whose source code has been freely available online for months.

Back in May, the company's experts came across an obscure trojan called Sunspot that was also modified for use in financial fraud. These threats signal a trend in the malware development scene that might be triggered by the fact that trojans like Zeus or Spyeye have become too widespread and are easily blocked by antivirus vendors.

Trusteer has launched new versions of its cybercrime prevention products, including Rapport, a solution that prevents financial trojans from interfering with browsing sessions. The update allows Rapport clients to detect new threats within 10 minutes after their discovery. µ