SSL Trojans getting ever nastier

Based on increases in Trojan technology, frequency, Roger predicts a major bank heist is on the horizon

Last week’s column on SSL Trojans generated a lot of interest and some new information. First, I must admit to feeling like I’ve been living in a sheltered time warp. Although SSL Trojans are new to me, a little Googling turned up similar Trojans going back as far as 2004.

LURHQ’s description of an E-gold Trojan was an early foreshadowing of things to come. E-gold is an e-cash operation, similar to Paypal. Turns out they’ve been under constant attack from these advanced Trojans for a few years now. 

The E-gold Trojan waits for the victim to successfully authenticate to E-gold’s Web site, creates a second hidden browser session, and uses various spoofing tricks until it drains the victim’s account. Because the stealing and spoofing is started after the authentication is completed, no amount of fancy log-on authentication would prevent the heist. All too telling is LURHQ’s prediction that “other banking institutions are sure to be attacked in this manner in the future.”

After spending a few hours looking at various Web sites, I found dozens of these types of Trojans. What surprised me more is that their appearance is not unknown to most anti-virus companies and anti-malware vendors.

Mark Sunner, CTO of MessageLabs, which processes 160 million e-mails a day, says they’ve been spotting these Trojans since late 2005, but the quantity and specialization is increasing.

“In 2003, the Sobig worm really started the 'worm-to-botnet-for-commercial-profit' generation of malware," Sunner explains. "In 2004 and 2005, it wasn’t unusual to find botnets with hundreds of thousands of infected hosts.” In other words, taking a buckshot approach.

“Since then the criminals have refined their methods," Sunner continues. "The worms and Trojans are one-off malware, intentionally targeting specific companies and industries. Their related botnets are small, maybe numbering a total of 20,000 machines. Their intention is to stay hidden and get as much financial gain as possible. This means staying under the radar. If your bot worm infects 100,000 people in a day, it’s going to get noticed fast and your gain minimized.”

But it’s more than that: Everything the new malware does is more sophisticated. It uses multiple exploits to infect victims, connect out from the victim’s PC using port 80, download code updates from “mothership” Web servers using dynamic DNS, and e-mail the ill-gotten gains (usually over port 80) back home to different servers with changing locations.

I previously took some satisfaction in the Anti-Phishing Working Group's report that the average number of days that a phishing Web site was active was decreasing. That was until I realized this decrease was intentional: The group’s December 2005 report mentions several bank key-logging Trojans with screenshots, proof that the growing presence of key-logging Trojans led to the decreased size of botnets as they try to stay under the radar.

I ended my last column on a bright note about how some banks, such as Barclays UK, are using more sophisticated log-on methods, including virtual keyboards and randomly requested letters of a user’s “memorable word” to fight Trojans. Silly me. The Trojans these days have no problem getting around these increased complexities, and the technology to do just that is for sale.

It’s even advertised out in the open. One Russian Web site, (be careful when visiting, this is an untrusted Web site), says it all in their mission statement: “Our team is specialized in spyware development. … Our main direction is to create effective and powerful spyware. Coding is not just a hobby for us, it’s our job and style of life.”

Their IE Form Grabber technology page brags, “This technology allows you to collect forms with authorization based on magicword used in United Kingdom and other EU countries. Module can collect data from browser even if connection is secured and data transmitted thru HTTPS protocol. This technology used in UK Banks authorization leak test.” The price for the “leak test” code starts at 650 euros. Some might suggest that bad people may buy code like this and put it into their Trojans.

Even Trojan encryption and packing methods have gotten harder to figure out. As discussed in my previous column, malware is often “packed,” compressing and encrypting the bad program to make it harder to detect and to debug.

MessageLabs' Sunner says a big part of his company's Skeptic scanning engine is dedicated to decoding all the various packers used with these new classes of Trojans. Along with Skeptic, MessageLabs runs F-Secure and McAfee (a bit of disclosure: I work for Foundstone, a division of McAfee) anti-virus scanners to detect and remove the recognizable malware threats. But Skeptic has an additional 8GB of heuristic analysis database signatures to decode all the various packers. And even with the signatures, if the code looks too random (a sign of packing compression) it triggers Skeptic to take an even closer look.

One bank wrote me that more than 100 customers had been infected by the SSL Trojan. I wonder how many customers are infected, don’t know it, and haven’t contacted the bank?

“The tipping point has been realized, but sadly it’s going to take a disaster of some magnitude before more people pay attention," Sunner says. "It would not be surprising to me if a very large and popular bank gets hit by a targeted attack this year at a level not seen before.”

I’ll go further. Finding out about this huge underworld of target-specific Trojans stealing from e-commerce sites and banks has been a revelation. The criminals are more mature, practiced, and technology-prepared than I previously thought. I think 2006 will be the year of the world’s biggest bank heist. Tens of millions of dollars will be stolen electronically by SSL Trojans in one day (if it hasn’t already happened), resulting in an “awakening” of the general public and government regulators.

So, a la Bob Metcalfe, I’ll eat my column if I’m wrong.