New Banker Trojan Bypasses SSL Mechanism

According to the Register, “Another RAT crawls out of the malware drain.” The short article is about a new banking trojan that can steal sensitive data from people using Internet Explorer, Chrome or Firefox browsers. PhishMe and CSIS (Center for Strategic and International Studies) have recently found a new version of malware being used to bypass SSL security and collect bank credentials.

CSIS has said they’ve found command and control servers that are used to collect the banking credentials. They were also able to find money-mule accounts in Latvia that are associated with at least one of the C&C servers. They’re also saying a future attack is already planned with the likely delivery method to be an email asking a person to update their Flash Player in a phishing attempt.

CSIS is calling the malware Dyreza while PhishMe refers to is as Trojan Dyre. Whatever you call it, the trojan is really nefarious in that it gives users a false sense of security if they’re using an SSL connection to a website. The malware uses a MITM (Man in the Middle) attack to read encrypted data by bypassing the SSL altogether.

The Register wrote:

Both PhishMe and CSIS believe it’s a new RAT (remote access trojan) rather than another Zeus variant. CSIS has identified Bank of America, Natwest, Citibank, RBS and Ulsterbank as target institutions, but there may be more.

Spamfighter.com has an article about the new threat as well, with quotes from various sources around the web. The malware is coming via email in spam messages that are made to look like they’re coming from a financial institution. If someone downloads and opens the ZIP file attached to the email, the malware gets installed on their machine and starts to communicate with the command and control servers. Then, if they try to log into one of several banks, their credentials will be stolen.

This is a sophisticated attack in many ways. While most people are smart enough not to open the ZIP file in the email, there’s a good chance that a percentage of them will. This is what the bad guys count on. They’re basically using a browser hooking technique to defeat SSL. However, having SSL enabled on your server is still important. This is why SSL Notifier works so hard to make sure webmasters have no gaps in their security by an SSL certificate expiring – as happened to Apple a short while ago.