Hackers use Trojan to target bank customers in three countries

Computerworld - Hackers have been quietly infecting hundreds of thousands of computers worldwide with a particularly sophisticated Trojan horse program designed to steal bank account information and other sensitive data from compromised systems, according to security researchers.

The attacks have been going on for several weeks and appear for the moment to be largely targeted at customers of several large banks in the U.K., Spain and Germany, the researchers added.

“This is one of those big, under-the-radar threats that we’ve been concerned about” for some time said Ken Dunham, director of the rapid response team at VerSign Inc.'s iDefense unit. “There has been a trend away from big-bang attacks to very targeted and sophisticated attacks that take place right under your nose. This is one of them."

According to Dunham, hackers have been sending out hundreds of thousands of e-mails prompting users in those three countries to visit malicious Web sites that use a Windows Metafile (WMF) exploit to download a Trojan program called MetaFisher on a victim’s computer.

The Trojan, which is also known as Spy-Agent and PWS, is then used to collect and send bank account and personal information from the compromised system to remote servers, where the data is harvested.

What sets MetaFisher apart from the hundreds of other similar Trojan programs is the sophistication of the command-and-control servers used to control it, said Eric Sites, vice president of research and development at Sunbelt Software Inc. in Clearwater, Fla.

“We have seen many Trojans with Web back ends that collect data and send a few commands back to the bot,” Sites said. In contrast, MetaFisher’s management interface reveals a level of sophistication usually found only in professional IT departments, he said.

According to Dunham, MetaFisher uses a PHP-based Web site to track infections by country and to manage variants and scripts. It also includes a query routine to easily filter stolen data and find keylogger and account data for specific keywords, he said.

The command-and-control servers also allow hackers to modify the behavior of the bots based on information gathered from compromised systems, Sites said. For instance, the attack instructions and exploits that get downloaded on a victim’s computer might vary based on the operating system.

For the moment, a vast majority of the installed MetaFisher bots are programmed to steal passwords, personal ID numbers and other information from compromised users who visit specific banking Web sites in the U.K., Spain and Germany, Dunham and Sites said.