The Latest in Trojan Attacks

From http://www.webhostingfan.com/2009/12/the-latest-in-trojan-attacks/


Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works. The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.

Is that your bank?

The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced. The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied. With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.

Slippery little bugger

Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone. Thus far the Trojan horse program has proven to be a bit of a slippery one to catch. The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone. The one good thing to come of is the creators of the program know they are now being watched and reacting.

Just how slippery is this Trojan? Once it has detected it is being monitored, it continues to force a money transfer. Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction. The end result is a bunch of very confused investigators.

To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.

How does it work?

How does URLzone work its way onto unsuspecting computers? Once the malware executes, a copy is made of itself to c:\uninstall02.exe. An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface. This effectively sends a confirmation that the machine in question is now infected with the Trojan. The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name. The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.

At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open. Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.

Final Thoughts

All in all, the URLzone Trojan horse program is one nasty piece of work. The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.

Once again, you should also make sure you're protecting your end-users from browsing malware sites, and your proxy is scanning for malware, with the latest anti-malware updates.