I ended my last column on a bright note about how some banks, such as Barclays UK, are using more sophisticated log-on methods, including virtual keyboards and randomly requested letters of a user’s “memorable word” to fight Trojans. Silly me. The Trojans these days have no problem getting around these increased complexities, and the technology to do just that is for sale.
It’s even advertised out in the open. One Russian Web site, http://www.ratsystems.org (be careful when visiting, this is an untrusted Web site), says it all in their mission statement: “Our team is specialized in spyware development. … Our main direction is to create effective and powerful spyware. Coding is not just a hobby for us, it’s our job and style of life.”
Their IE Form Grabber technology page brags, “This technology allows you to collect forms with authorization based on magicword used in United Kingdom and other EU countries. Module can collect data from browser even if connection is secured and data transmitted thru HTTPS protocol. This technology used in UK Banks authorization leak test.” The price for the “leak test” code starts at 650 euros. Some might suggest that bad people may buy code like this and put it into their Trojans.
Even Trojan encryption and packing methods have gotten harder to figure out. As discussed in my previous column, malware is often “packed,” compressing and encrypting the bad program to make it harder to detect and to debug.
MessageLabs' Sunner says a big part of his company's Skeptic scanning engine is dedicated to decoding all the various packers used with these new classes of Trojans. Along with Skeptic, MessageLabs runs F-Secure and McAfee (a bit of disclosure: I work for Foundstone, a division of McAfee) anti-virus scanners to detect and remove the recognizable malware threats. But Skeptic has an additional 8GB of heuristic analysis database signatures to decode all the various packers. And even with the signatures, if the code looks too random (a sign of packing compression) it triggers Skeptic to take an even closer look.
One bank wrote me that more than 100 customers had been infected by the SSL Trojan. I wonder how many customers are infected, don’t know it, and haven’t contacted the bank?
“The tipping point has been realized, but sadly it’s going to take a disaster of some magnitude before more people pay attention," Sunner says. "It would not be surprising to me if a very large and popular bank gets hit by a targeted attack this year at a level not seen before.”
I’ll go further. Finding out about this huge underworld of target-specific Trojans stealing from e-commerce sites and banks has been a revelation. The criminals are more mature, practiced, and technology-prepared than I previously thought. I think 2006 will be the year of the world’s biggest bank heist. Tens of millions of dollars will be stolen electronically by SSL Trojans in one day (if it hasn’t already happened), resulting in an “awakening” of the general public and government regulators.
So, a la Bob Metcalfe, I’ll eat my column if I’m wrong.