Banking Trojan

[Andy Walker]

Unusual banking trojan found today (April 1, 2008)

We've seen tons of banking trojans lately, but now we've run into
something quite unique.

This new banking trojan was found today from a drive-by-download site.
We've added detection for it as Win32.Pril.A

It not only infects the MBR of the machine, but also reflashes the
boot code in the Flash BIOS, making disinfection problematic.

Once an infected machine is online, the trojan monitors the users
actions, waiting him to go to go to one of several hundred online
banks, located all over the world.

Once the user has logged on, the banking trojan uses PCMCIA to inject
code into the VGA! As an end result, the trojan creates a
man-in-the-browser attack against the victim.

Now, the really surprising part is what the trojan does. Normal
banking trojans would insert extra transactions or change the deposit
account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw
money from you - it actually inserts money TO your account. This
looked so weird we had to test it several times, on all of our
accounts.

The drive-by-download site is still up. Normally, we wouldn't list the
URL for such a site, or we would at least obfuscate it in a
screenshot. However this time we'll make an exception. We will even
make the link clickable: http://aprilbanking.cjb.net/

















http://www.f-secure.com/weblog/archives/00001411.html

Enjoy :-)

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| Unusual banking trojan found today (April 1, 2008)
|
| We've seen tons of banking trojans lately, but now we've run into
| something quite unique.
|
| This new banking trojan was found today from a drive-by-download site.
| We've added detection for it as Win32.Pril.A
|
| It not only infects the MBR of the machine, but also reflashes the
| boot code in the Flash BIOS, making disinfection problematic.
|
| Once an infected machine is online, the trojan monitors the users
| actions, waiting him to go to go to one of several hundred online
| banks, located all over the world.
|
| Once the user has logged on, the banking trojan uses PCMCIA to inject
| code into the VGA! As an end result, the trojan creates a
| man-in-the-browser attack against the victim.
|
| Now, the really surprising part is what the trojan does. Normal
| banking trojans would insert extra transactions or change the deposit
| account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw
| money from you - it actually inserts money TO your account. This
| looked so weird we had to test it several times, on all of our
| accounts.
|
| The drive-by-download site is still up. Normally, we wouldn't list the
| URL for such a site, or we would at least obfuscate it in a
| screenshot. However this time we'll make an exception. We will even
| make the link clickable: http://aprilbanking.cjb.net/
|
| http://www.f-secure.com/weblog/archives/00001411.html
|
| Enjoy :-)
|

F-Secure humour...
"...the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan
creates a man-in-the-browser attack against the victim."

Here's another...

"New Sophos facial recognition technology uses webcams to stop hackers and virus writers in
their tracks"

http://www.sophos.com/pressoffice/ne.../04/rapil.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Quilljar]

Pril.A rather gives the game away don't you think?

Q