Unusual banking trojan found today (April 1, 2008)

We've seen tons of banking trojans lately, but now we've run into
something quite unique.

This new banking trojan was found today from a drive-by-download site.
We've added detection for it as Win32.Pril.A

It not only infects the MBR of the machine, but also reflashes the
boot code in the Flash BIOS, making disinfection problematic.

Once an infected machine is online, the trojan monitors the users
actions, waiting him to go to go to one of several hundred online
banks, located all over the world.

Once the user has logged on, the banking trojan uses PCMCIA to inject
code into the VGA! As an end result, the trojan creates a
man-in-the-browser attack against the victim.

Now, the really surprising part is what the trojan does. Normal
banking trojans would insert extra transactions or change the deposit
account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw
money from you - it actually inserts money TO your account. This
looked so weird we had to test it several times, on all of our
accounts.

The drive-by-download site is still up. Normally, we wouldn't list the
URL for such a site, or we would at least obfuscate it in a
screenshot. However this time we'll make an exception. We will even
make the link clickable: http://aprilbanking.cjb.net/

















http://www.f-secure.com/weblog/archives/00001411.html

Enjoy :-)