Skip the navigation
News

Stabuniq malware found on servers at U.S. financial institutions

The malware appears to just be performing reconnaissance for now

By Lucian Constantin
December 21, 2012 08:38 AM ET

IDG News Service - Security researchers from Symantec have identified an information-stealing Trojan program that was used to infect computer servers belonging to various U.S. financial institutions.

Dubbed Stabuniq, the Trojan program was found on mail servers, firewalls, proxy servers, and gateways belonging to U.S. financial institutions, including banking firms and credit unions, Symantec software engineer Fred Gutierrez said Friday in a blog post.

"Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users," Gutierrez said. "Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the threat). A staggering 39 percent, however, belong to financial institutions."

Based on a map showing the threat's distribution in the U.S. that was published by Symantec, the vast majority of systems infected with Stabuniq are located in the eastern half of the country, with strong concentrations in the New York and Chicago areas.

Compared to other Trojan programs, Stabuniq infected a relatively small number of computers, which seems to suggest that its authors might have targeted specific individuals and organizations, Gutierrez said.

The malware was distributed using a combination of spam emails and malicious websites that hosted Web exploit toolkits. Such toolkits are commonly used to silently install malware on Web users' computers by exploiting vulnerabilities in outdated browser plug-ins like Flash Player, Adobe Reader or Java.

Once installed, the Stabuniq Trojan program collects information about the compromised computer, like its name, running processes, OS and service pack version, assigned IP (Internet Protocol) address and sends this information to command-and-control (C&C) servers operated by the attackers.

"At this stage we believe the malware authors may simply be gathering information," Gutierrez said.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Blog Spotlight
Richi Jennings

Crafty hackers hack craft stores -- again.

Michaels Stores (NYSE:MIK) has finally confirmed the details of the point-of-sale hack revealed in January. It's unclear what's taken them so long -- the company claims the hack was "highly sophisticated," but everyone uses a blah-blah phrase like that.

Your humble blogwatcher notes that the problem persisted for more than a month after the news first broke. smh.

In IT Blogwatch, bloggers are aghast that, for the second time, the company's POS was hacked -- lasting almost nine months.

Robert L. Mitchell
Sharky