The attacks on Russian and Ukrainian bank customers is a switch for bank trojans, which tend to originate in Russia and Ukraine and attack Western targets.
At the DLP Russian 2010 conference in Moscow this week, Stewart explained that there had been an “unspoken rule” among Russian trojan developers not to infect Russian computers. But times are changing.
Stewart said that the Origami trojan currently has limited distribution, but it is a “highly capable credential-stealing trojan”.
The SecureWorks researcher supplied a “heat map” of Origami trojan infections. Most of the infections were centered around the Russian capital of Moscow and the Ukrainian capital of Kiev, but there were also concentrations in eastern Ukraine, as well as Belarus, Lithuania, Moldova, and Germany.
Stewart explained that anti-virus software is only 20% effective against a credential-stealing trojan like Origami. He recommended a “layered defense”, which includes patch management, commercial anti-virus software, network firewall with strict egress policies, web proxy with scanning/blocking capability, network intrusion prevention system (IPS) with malware ruleset, host-based IPS/firewalls, and executable whitelisting.
On the policy side, he recommended more global cooperation against trojans and other cybercrime, including cooperation between law enforcement agencies around the world and between law enforcement and private companies.