According to Amit Klein, the in-browser web security specialist's chief technology officer, Sunspot's infection rates are similar to SpyEye and Zeus in some regions, with confirmed fraud losses resulting from the trojan.
"Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts", he says in his latest security blog.
Once installed, Klein says the malware targets Internet Explorer and Firefox browsers, but, he adds, the detection rate for Sunspot by leading anti-virus programs is painfully low.
According to a Virus Total analysis, he claims, only nine of 42 anti-virus programs tested, or 21%, currently detect Sunspot.
The trojan is notable, he reports, as it can carry out man-in-the-browser attacks, including web injections, page grabbing, key-logging and screen shooting.
Screen shooting, says the Trusteer CTO, captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard.
Klein's researchers have traced the Sunspot command and control server (C&C) hostname to a domain registered in Russia.
The malware, he argues, is interesting for two reasons. First, it reveals a new approach to financial malware development.
"Unlike purpose built financial fraud platforms like Zeus, SpyEye, Bugat, and others, it appears Sunspot was not originally developed as crime ware. If this is the case, we could be witnessing a sea change in malware development where general purpose and little know malware platforms are re-programmed to carry out financial fraud", he said.
"This will make it even more difficult to defend against attacks since banks will be ambushed by a growing number of unique financial malware platforms", he added.
Secondly, he went on to say, Sunspot illustrates an increasing emphasis on crime ware authors on payment card theft.
"We are seeing more and more malware asking victims for their credit and debit card information together with additional identifiable information", he said.
This, he explained, allows criminals to commit card non present fraud on the internet, and also makes it more difficult for banks to identify the source of fraudulent transactions.
According to Klein, the takeaway for financial institutions from Sunspot remains the same:
"A layered security approach that combines server-side and client-side zero day attack protection is the most effective way to protect users against crime ware, since anti-virus programs are lagging way behind in their ability to detect these programs", he notes.