The finance and banking industries have been dealing with a range of sophisticated and financially targeted malware including Zeus, Bugat, Mitmo, OddJob, and their variants. Banking Trojans are usually designed to extract authentication information sent between a user’s browser and a bank’s server. Recently, Symantec identified a new component based Banking Trojan that they are calling Tatanarg. Components capable of performing multiple functions are installed on the targeted computer, either through emailed attachments, drive-by web attacks, infected USB keys or other means.
Tatanarg disrupts any anti-virus products installed on the computer, and eliminates other competing malware, such as Zeus. It then sets itself up to launch a “Man In The Browser” attack, altering HTML in the browser and inserting additional fields on web pages to capture additional information from the victim. Tatanarg also hijacks the cryptographic protocol connections such as Security Socket Layer (SSL) and Transport Layer Security (TLS) between the browser and the server, acting as a proxy and gaining access to all communications sent or received using these protective protocols.
When an SSL connection is being established, the bank will send the client a certificate and a public key signed by the certificate that will be used to encrypt information that is exchanged. On the bank side of the proxy, the Trojan uses the details provided by the bank to encrypt outbound traffic. On the browser side of the connection, the Trojan inserts its own self-signed certificate and neutralizes the certificate validation in the browser process to fool the user into thinking that the connection is secure. Users may think the site is secure because the URL will use the “https” scheme and the telltale sign that everybody is trained to look for–the closed padlock, which will also be shown in the browser. This creates the illusion to the victim that they are conducting secure banking transactions over a secure connection.
Tatanarg also facilitates remote control of the compromised computer, allowing commands to be issued to restart the affected computer, purge the browser cookies and terminate active programs and processes. Information extracted by this malware agent may be used by criminals to steal funds from a user’s online banking account and conduct unauthorized transactions before being sold to others in the underground crime market.
The 3 samples that I have been able to gain MD5 hash values for have all shown a moderate detection rate on VirusTotal, ranging from 29 to 31 out of the 43 vendors’ products available, indicating that detection is possible, but not guaranteed. IDS/IPS signatures have also been released.
What to look for:
- Watch for the creation of the following processes:
- c:\documents and settings\support\application data\microsoft\internet explorer\report.exe.
- Watch for connections to 212 [dot]124 [dot]110 [dot]18 over port 80.
- Watch for DNS Requests to www [dot] meteocarlet [dot] com.
- See Symantec’s write up for registry entries and dropped files.
Tatanarg, OddJob and other recent Trojans illustrate the time and resources criminal networks are willing to invest in malware development, as well as the level of technical creativity employed to defeat available security defenses. Expect criminals to develop and evolve more advanced techniques for defrauding individuals and to modify their successful tools to plunder a wide array of corporations. Security firms, businesses, and software developers must continue to invest in research, develop new technologies, and enhance their security postures to deal with these emerging threats. Information security is crucial to create and maintain trust among online customers, and ensure the continuity of business in all industries. Hiring professionals with IT and security certifications will help all businesses to secure their individual systems, networks, and online applications.