Team Infidel
Forum Spin Doctor
By Gillian Shaw, Vancouver Sun, January 17, 2008
In what is being billed as one of the most sophisticated cyber attacks to hit the Internet, a virus has been released that gets between computer users and their banking websites, giving thieves free rein to drain accounts and wreak financial havoc on their victims.
Dubbed the "Silentbanker," the virus is a Trojan horse computer users may unknowingly download by simply browsing the Internet. The first sign it's at work may be a bank notification warning their client has been a victim of fraud.
More than 400 banks -- including some in Canada -- have been targeted worldwide by the virus, which operates in many languages, said Symantec, a global security company tracking the progress of the Trojan.
"I'd have to say it is one of the most sophisticated we have seen. What makes it more dangerous is it seems to be staffed by professional software developers," said Al Huger, vice-president for security response and security services at Symantec.
"They are writing this and maintaining it just like they would a piece of software you might buy. There is a lot of money on the line for them. It is certainly organized."
Unlike conventional cyber-banking frauds -- in which bank clients are steered to a bogus website masquerading as their own institution's online site -- Silentbanker uses the genuine bank website and is able to manipulate the user's account without the client's knowledge.
Payments are steered into a hacker's account, or cleaned out altogether, before transactions can be encrypted.
It can also be used to steal credit card information and passwords.
When a banking client signs on to their banking website, the hacker is a silent third party, remaining completely hidden and making no changes at all to the site the banking client is seeing. All the functions, from transferring funds to paying bills or checking credit card balances, remain the same and continue to work, thereby giving the user no cause to suspect they've been compromised.
"What they are doing is they are already on your computer, and when you type on your computer [the hackers] are sitting between your keyboard and the bank," said Huger. "They are intercepting everything you send to your bank and everything your bank sends to you. It is called a man-in-the-middle attack."
Huger said the current attack has been under way for about four days, and while he said Symantec has seen it try to infect thousands of its customers, the company's security software has stymied the attempts.
A Symantec security team member said the virus is not just targeting large American banks, but financial institutions around the world, particularly in Europe.
Computer users who don't have up-to-date anti-virus security software installed, or who haven't updated their web browser to fix flaws that are allowing the Trojan to proliferate, are particularly open to attack.
"[Silentbanker] sits on the website, and unbeknownst to you it downloads to your system," said Huger, who added the hackers behind Silentbanker are probably also trying to send the virus out via e-mail.
Huger said the download could originate from many legitimate websites.
"It is the complete gamut -- from gaming sites to porn sites to home-craft sites," he said. "Whoever is doing this is actually breaking into a lot of legitimate sites and placing it there."
The Bank of Montreal said Wednesday it had not heard of the virus threat, but would be investigating. Calls made to other major Canadian banks were not returned.
What TROJAN.SILENTBANKER is capable of:
- When the virus installs itself, the web addresses for 400 different banks are downloaded to the victim computer.
- When the user tries to visit his/her bank's site, the virus impersonates the real customers by sending the attacker's account details instead.
- It appears to the user to be a normal transaction, but your money is being stolen.
- The virus steals passwords for file transfer tools, e-mail, and storage.
- The addresses of hundreds of other legitimate websites that you might visit are illegitimately placed in your computer.
- Hundreds of pornographic websites may be shown to you (so the attacker can make money from the referrals).
- If you think you have found and removed the virus, it may still be functioning because it has changed your Internet account's domain name server (DNS) settings.
- A user's DNS settings can be changed (to 85.255.116.133 or 85.255.112.87 - although Trojan.Silentbanker is elusive and this information may already be out of date).
- Your computer can be turned into a web server to further enable the virus's illegal activity.