It seems like the bank industry can't catch a break when it comes fighting off new Trojans. In recent weeks, I learned of two Trojans that are targeting bank information.
First, Trusteer found a new malware dubbed "OddJob." The malware keeps banking sessions open after users think they have logged off, and this enables the bad guys to steal money undetected. According to the Trusteer blog:
This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital-and online monetary-assets.
The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100 percent complete as the code writers continue to refine it.
OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.
Second, Symantec recently discovered a Trojan named "Tatanarg." Again, this is another piece of malware designed to grab banking information. It has all the basic features of other banking information-gathering Trojans out there, but this one also disables Zeus. According to the Symantec blog:
One interesting feature of the Trojan is that it hijacks SSL/TLS connections between the browser and the bank. When an SSL connection is being established, the bank will send the client a certificate and a public key signed by the certificate that will be used to encrypt information that is exchanged. The Trojan injects itself between the bank server and the browser and forms a proxy service. On the bank side of the proxy, the Trojan uses the details provided by the bank to encrypt outbound traffic. On the browser side of the connection, the Trojan inserts its own self-signed certificate and neutralizes the certificate validation in the browser process to fool the user into thinking that the connection is secure. Users may think the site is secure because the URL will use the "https" scheme and the telltale sign that everybody is trained to look for-the closed padlock, which will also be shown in the browser.