Russian rootkit stealing bank info

Powered by SC Magazine
 

Teams from Sana Security have discovered a difficult-to-detect trojan designed to steal passwords previously used on infected machines.

The malware is effective because it acts as a rootkit to stay hidden from users, remaining on a PC indefinitely because it can survive a restart, the San Mateo, Calif., security vendor said Wednesday.

The trojan is kernel-mode, meaning the trojan modifies the layer of an operating system that controls the machine's basic functions.

The trojan – named rootkit.hearse by Sana – can compromise bank accounts, email logins and insurance information, the firm said.

The worm began infecting machines March 16, and Sana discovered the malware Tuesday. The firm estimated the trojan has affected roughly 20,000 users, stealing almost 40,000 records from 7,000 sites.

"The trojan appears to not be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication," Sana said.

The firm said it infected a virtual machine with the trojan, and the worm recorded a made-up username and password entered into Bank of America's website.

Once installed, the malware sends the information it steals to a Russian server.

"Due to the seriousness of this infection, and lack of detection in most mainstream security products, (we have) contacted the (anti-virus) companies with infected users, notified the owners of the websites that are hosting the malicious content and notified appropriate authorities," Sana said.

Meanwhile, anti-virus vendor F-Secure said today it is investigating a Russian email worm, which relies on rootkit technologies.

Called Gurong.A, the worm is in the wild but spreading slowly, the company said.

Because it is a kernel-mode rootkit, the malware can execute malicious code without adding any additional, F-Secure said.

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
 
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
 
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 4089

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  26%
 
I DON'T support shutting the OAIC.
  74%
TOTAL VOTES: 1394

Vote