Hackers use Trojan to target bank customers in three countries
The Trojan, called MetaFisher, relies on a Windows Metafile exploit
March 22, 2006 12:00 PM ETComputerworld - Hackers have been quietly infecting hundreds of thousands of computers worldwide with a particularly sophisticated Trojan horse program designed to steal bank account information and other sensitive data from compromised systems, according to security researchers.
The attacks have been going on for several weeks and appear for the moment to be largely targeted at customers of several large banks in the U.K., Spain and Germany, the researchers added.
This is one of those big, under-the-radar threats that weve been concerned about for some time said Ken Dunham, director of the rapid response team at VerSign Inc.'s iDefense unit. There has been a trend away from big-bang attacks to very targeted and sophisticated attacks that take place right under your nose. This is one of them."
According to Dunham, hackers have been sending out hundreds of thousands of e-mails prompting users in those three countries to visit malicious Web sites that use a Windows Metafile (WMF) exploit to download a Trojan program called MetaFisher on a victims computer.
The Trojan, which is also known as Spy-Agent and PWS, is then used to collect and send bank account and personal information from the compromised system to remote servers, where the data is harvested.
What sets MetaFisher apart from the hundreds of other similar Trojan programs is the sophistication of the command-and-control servers used to control it, said Eric Sites, vice president of research and development at Sunbelt Software Inc. in Clearwater, Fla.
We have seen many Trojans with Web back ends that collect data and send a few commands back to the bot, Sites said. In contrast, MetaFishers management interface reveals a level of sophistication usually found only in professional IT departments, he said.
According to Dunham, MetaFisher uses a PHP-based Web site to track infections by country and to manage variants and scripts. It also includes a query routine to easily filter stolen data and find keylogger and account data for specific keywords, he said.
The command-and-control servers also allow hackers to modify the behavior of the bots based on information gathered from compromised systems, Sites said. For instance, the attack instructions and exploits that get downloaded on a victims computer might vary based on the operating system.
For the moment, a vast majority of the installed MetaFisher bots are programmed to steal passwords, personal ID numbers and other information from compromised users who visit specific banking Web sites in the U.K., Spain and Germany, Dunham and Sites said.
Security
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
