Sunspot Malware In The Wild

Trusteer has recently identified “Sunspot”, a little known Windows malware agent that was not previously identified as a financial fraud vector.  Sunspot is currently targeting North American financial institutions and has already achieved significant infection rates in some regions.  There are confirmed fraud losses associated with Sunspot, so this threat is real, adding to the already swelling list of malware targeting finance that is flooding the Internet.

Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts.  Once installed, it targets Internet Explorer and Firefox browsers.  This is a very modern malware platform with sophisticated fraud capabilities.  It can carry out man-in-the-browser attacks, web form injections, page grabbing, key-logging and screen capture.

Sunspot is started either by “rundll32.exe”, or by startup registry entry.  It uses CBT hooking to load its DLL into the browser.  Inside the browser it hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging.

It appears Sunspot was not originally developed as “crime ware”.  We could be witnessing a sea change in malware development where little know malware platforms are re-purposed to carry out financial fraud.  This will increase the difficulty in defence since banks may be attacked by volumes of unique financial malware platforms.  Sunspot also illustrates an increasing emphasis on payment card theft.  More and more malware is asking victims for credit and debit card information together with additional personally identifiable information, allowing more card non present fraud, and making it more difficult to identify the source of fraudulent transactions.

Defence against Sunspot and its ilk remains the same as it always has.  Layered security combining server-side and client-side malware defenses, behavior based attack detection and monitoring is the most effective way to protect users against financial crime ware.