How SSL-evading Trojans work

SSL-evading Trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today’s Internet banking and financial institutions. As with any Trojan, this type can do anything allowed by the user’s security permissions.

There are three basic flavors of SSL-evading Trojan: credential-stealing, bogus SSL, and transaction-based.

The credential-stealing variety is similar to the conventional password-stealing Trojan but with a twist. Rather than simply capture logon keystrokes and forward them to an attacker, these Trojans can also subvert such authentication methods as on-screen keyboards with random key placement, requests for random letters from a user’s “magic word,” or reselection of a previously selected graphic. They do this by taking small snapshots of the screen when the user clicks in previously located authentication areas. The pictures are collected, zipped, and then sent back to the malicious hacker.

Bogus SSL Trojans offer up fake local Web pages in place of a bank’s real Web site. When the Trojan installs itself, it searches the browser cache for bank and financial Web site pages and generates fake local pages. Then, when the user visits a real bank site, the Trojan intercepts the log-on and redirects it to the locally, bogus copy. The Trojan sends the credentials typed by the user to both the real bank and to the malicious hacker.

Transaction-based SSL-evading Trojans are the most dangerous and sophisticated. They wait until the user has successfully authenticated at the bank’s Web site, eliminating the need to bypass or capture authentication information. The Trojan then manipulates the underlying transaction, so that what the user thinks is happening is different from what’s actually transpiring on the site’s servers.

The Win32.Grams E-gold Trojan, spawned in November 2004, is a prime example of transaction-based type. When the user successfully authenticates, the Trojan opens a hidden browser window, reads the user’s account balance, and creates another hidden window that initiates a secret transfer. The user’s account balance, minus a small amount (to bypass any automatic warnings), is then sent to a predefined payee.

Many SSL-evading Trojans are “one-offs,” meaning that they are encrypted or packaged so that each Trojan is unique -- defeating signature-style detection by anti-virus software.

Ultimately, SSL-evading Trojans can be defeated only when users stop running untrusted code -- or better still, when banks deploy back-end defensive mechanisms that move beyond mere authentication protection.