New banking Trojan targets U.K. banks

A new banking Trojan, called Silon, is making the rounds in the U.K., targeting banking customers.

A new Trojan that targets only the customers of U.K. banks has managed to infect thousands of computers in just the last few months.

The Silon Trojan is now responsible for around 20% of all infections of U.K. online banking customers, according to Trusteer Inc., a company that specialises in banking security. The figures were gathered using Trusteer's new forensic tool that allows banks to analyse their customers' computers.

Trusteer CEO Mickey Boodaei said just three Trojans account for around 95% of all U.K. bank customers' infections. The Zeus Trojan is still the most widespread, accounting for 60% of infections, and the other is Yaludle, which accounts for 10%.

The malware changes itself from one instance to another. If you look at the malware on two different computers, you'll find two different files. It makes it hard for AV to detect it.
Mickey Boodaei
CEOTrusteer Inc.

But while Zeus and Yaludle have both been distributed globally, Silon is unique because it has been designed to go after only customers of major U.K. banks. Boodaei estimates that one in 350 bank customers has been infected by Silon so far. Banking industry figures show that around 22 million people now use online banking services, which means that Silon could be installed on more than 60,000 computers.

According to Boodaei, New York-based Trusteer first spotted an early prototype of Silon about a year ago. This was followed in late 2009 by a much more sophisticated version that is far harder to detect and block.

"The people behind this have invested a lot of effort into making the code resilient. It is very difficult to reverse-engineer -- which you must do to find out what's in it -- and they have also included a lot of encryption," Boodaei said. "The malware changes itself from one instance to another. If you look at the malware on two different computers, you'll find two different files. It makes it hard for AV to detect it."

Silon has been designed, he said, to manipulate a user's browser, capture login details and interfere with user transactions without the user's knowledge. Captured banking credentials can be quietly sent back to the criminals who can either steal the money or sell the credentials to other gangs. Even worse, Silon can bypass specific security controls and authentication mechanisms operated by U.K. banks, and is able to update itself to counter any changes the banks may make.

The widespread success of Silon, Zeus and Yaludle poses a major problem for U.K. banks, which in most cases will be liable for any money lost through fraud. While the banks themselves can guard their own internal systems effectively, they have little control over the behaviour of their online customers and the state of their PCs.

Banks facing other threats
The threat faced by banks globally is not confined to personal customers with poorly maintained computers. There is also growing evidence that cybercriminals worldwide are targeting corporate users with access to their companies' financial systems and bank accounts. According to Dave Jevons, who heads the Anti-Phishing Working Group, an industry body focused on eliminating phishing and email spoofing, criminals are now making a "concentrated effort to go after corporate banking customers" where they can plunder much larger sums of money.

Jevons said malware has been written to pinpoint users accessing certain banks, especially in the U.S., to capture authentication details, and to allow attackers to take control of the browser. He said a fraud worth $200,000 was carried out against a U.S. corporate banking customer in this way in early 2009, followed by another in October worth $1 million. Then in January, a company lost $3 million through a banking Trojan.

According to Jevons, many banks have poor transaction anomaly reporting, meaning they would fail to query a sudden large transfer of funds, and have been unable to react in time before cash was withdrawn by money mules. He said the banks have been able to recover only half the money stolen though this type of fraud.

The situation is so bad that in December, NACHA, the U.S.-based electronic payments association, issued new guidelines to banking companies on how to work safely. One of its recommendations was that companies should have a computer that was dedicated solely to online banking, and with no other online usage.

More on defending against malware

How to detect if machines have been infected with Trojans, keyloggers

How to avoid botnet attacks

In the U.K., HSBC recently took a pioneering step to limit the threat to its customers by offering all its online customers a free copy of Trusteer's Rapport product, which prevents a user's browser from being hijacked by malware. Within a few weeks, more than a million customers had downloaded the product.

Trusteer is looking to carve a specialised niche for itself with the launch of Flashlight, a forensic product to help banks analyse malware on customers' computers following a fraud incident.

"When the banks learn of a fraud incident, they often have to send people to the customer, remove the computer to a lab, and do an analysis that is expensive, time-consuming and very inconvenient for the customer," said Boodaei. "Flashlight lets them do it remotely."

If a customer believes they have suffered a fraud and call the bank to report it, then the bank can instruct them to download the Flashlight software, which then carries out a forensic investigation and gathers evidence. "In less than two minutes, the bank gets a full report on the malware, how it works, the criminal groups associated with it, and how it bypasses their security controls, so that they can immediately know if this is something new," Boodaei said.

The information can be shared with law enforcement, he said, allowing the command-and-control centres for the botnet to be located and closed down, as well as any mule accounts that the criminals use to withdraw cash from the bank.

Read more on Web application security