Researchers at Panda Security say a new study suggests the threat of Trojan attacks against U.S. banks will increase, despite foreign banks being the main target of cybercriminals.
Panda Security recently published a report that analyzes banking Trojans, their infection channels and how the insidious malware tries to steal users' banking credentials.
"Once installed on a computer, the main aim of all these Trojans is to steal bank details from victims," Panda researchers wrote in their report. "The Trojans normally go memory-resident, and only activate when users visit the Web pages of certain banks. To this end, the Trojans include a list of banks which they can target."
Many of the most active Trojans target Brazilian, Russian and other foreign banks, according to the report. But Sean-Paul Correll, threat researcher and security evangelist at Madrid-based Panda, said "the architecture of the malware has been improved so that the list of banks attacked can be changed on the fly," and the likelihood of U.S. banks being affected is extremely high.
In the latter part of 2008, banking Trojans grew significantly in terms of complexity and frequency, Correll said.
Panda identifies the Sinowal banker Trojan as the most active family of banking malware. Sinowal belongs to a category of Trojans that change continuously and are updated to steal credentials from different banks, making them particularly dangerous, researchers said. The malware's list of target banks is obtained from a configuration file that is either included with the Trojan or in a server controlled by the attacker.
Banker Trojans typically use spam to infect users' computers, either via an attachment or links to a Web page, according to Panda. Once a computer is infected, attackers monitor the user's browsing habits by registering as a Browser Helper Object, searching for window titles or Web addresses in the browser, and use keyloggers, form capture, false forms and other techniques to steal data.
The programs are readily available to cybercriminals and there is an extensive black market in banking malware kits, researchers wrote.
While banks have improved security and client authentication procedures in order to thwart banker Trojans, the malware has become more sophisticated, according to the report. For example, virtual keyboards block keyloggers from capturing bank data entered by users, but attackers developed new functions that allowed Trojans to take video captures of the screen.
Also, some variants of the Sinowal family are capable of modifying data on the fly, Panda researchers said. For instance, if the user is making a transfer on a bank Web page, the malware can alter the data of the intended recipient of the transfer.
The Panda study provides analysis of specific malware samples, including one designed for the Firefox browser, which was detected in December and affected banks in the U.S., Spain, Italy, the U.K., France and Australia.
In December, Gartner said banks should tighten up their online security in the wake of a new password-stealing Trojan that targeted Firefox users. Gartner researchers said they expect criminals to copy the Trojan in order to access financial accounts.