Traditionally, banking Trojans typically just captured data traffic exchanged between the user and the online banking website. The captured information included the authentication information, which is collected and sent to the attacker by the Trojan for their use or to sell on to other parties for a profit. For as long as there has been banking Trojans, there has been a cat and mouse game between the banks and the criminals as each side respond to each other’s move to thwart the actions of the other. More sophisticated banking Trojans employ a man-in-the-browser (MITB) method that is designed to overcome defenses, such as SSL encryption and multi-factor authentication. MITB is achieved by monitoring and intercepting user activities in the browser in real time and modifying the HTML content inside the context of the browser, either to display false information to the user or to manipulate details of transactions sent from the user to the bank.
A Trojan that has come to our attention of late is Trojan.Tatanarg. As banking Trojans go, this one includes all of the expected functionalities and a few more. It is component-based, so the initial installer downloads several components that perform various functions. These functions include the following:
– Killing other threats such as the Zeus Trojan. You may recall Trojan.Spyeye also had a functionality to kill Zeus Trojans. Zeus is clearly not only under attack from antivirus software but also from other malware, too.
– Disrupting security software – this is relatively common in many malware samples.
– Modifying HTML in the browser – this may be used to inject extra fields into authentication forms during login, for example.
– Enables Windows remote access.
