Trusteer spots worm-based malware using Zeus-like strategies to infect

The malware – a recode of Win32.Ramnit (first seen 18 months ago) – has the ability inject HTML code directly into the web browser client, so side-stepping conventional two-factor authentication plus transaction signing systems used by financial institutions to protect their users' online banking sessions.

Ramnit's command-and-control servers have been traced back to Germany and, says Trusteer, have been found infecting tens of thousands of computers used for mobile banking services.

The initial version of Ramnit was first detected in 2010 and targets .EXE, .SCR, .DLL. .HTML and other file types.

File infection, says Trusteer, is an 'old school' virus technique that is rarely seen in modern financial malware.

The firm say that the evolution of Ramnit into a fraud tool was made possible when the source code of the notorious Zeus financial malware platform was made freely available on the Internet earlier this year. Since then, the company adds that fraudsters and malware authors have borrowed parts of the Zeus toolkit and incorporated them into other malware.

“Trusteer researchers found the method used to configure Ramnit to target a specific bank is identical to the one used by Zeus. This allows fraudsters who have written configurations for Zeus to easily port their configuration to Ramnit”, says Amit Klein, Trusteer's CEO, in his latest security posting.

Unlike in the past, when financial institutions had to defend against a limited number of malware platforms, Klein says that attacks can now come from virtually any malicious software program - old or new – as a result of the malware distribution channel for fraudsters having increased in scale significantly.

What’s hot on Infosecurity Magazine?