A sophisticated online banking Trojan that first surfaced two years ago has hit banks in Denmark, Symantec researchers said.
While the malware has been detected in the U.S., it hasn't attacked specific banks here, said Kevin Haley, director of product management for Symantec Security Response.
The Trojan, called Bankpatch, first surfaced in 2007 and its authors continue to distribute it and update plug-in modules that are designed to target specific banks and steal online banking credentials, Eric Chien, a researcher at Symantec, wrote in a Symantec blog post Friday. The malware has attacked several Danish banks, he said.
Users can be infected with Bankpatch by visiting a website that exploits vulnerabilities in Internet Explorer and third-party browser plugs, researchers said.
When executed, the Trojan injects code into Windows system files and patches key routines to hide itself and trigger other actions that allow it to track when Internet Explorer is used. It downloads additional plug-ins known collectively as Infostealer.Nadebanker, which are browser helper objects customized to target certain online baking systems and intercept online banking traffic to change what the user sees, Chien wrote in an update Tuesday.
"This allows Nadebanker to potentially transfer money from these accounts unnoticed," he said.
Haley said it appears that if the attackers know enough about how a bank performs online transactions, they can customize an attack specific to that bank and download it to infected machines as a plug-in. Symantec scans for both the Trojan and Nadebanker, and offers a removal tool.