Massive Botnet Pillaging Bank Accounts

A stealthy bot Trojan has been infecting machines via drive-by downloads for months and may have infected a million PCs. It aims to pillage personal bank accounts.

Gregg Keizer, Contributor

March 22, 2006

2 Min Read

One of the most sophisticated bot Trojans ever has been infecting machines for months, a security company revealed Wednesday, and has compromised an estimated one million PCs in an ongoing effort to pillage personal bank accounts.

According to Reston, Va.-based iDefense, multiple variants of a Trojan dubbed "MetaFisher," a.k.a. "Spy-Agent," has been spreading for months under the proverbial radar.

"MetaFisher has compromised hundreds of thousands if not millions of accounts for financial fraud," said Ken Dunham, the director of iDefense's rapid response team.

The Trojan's pitched the usual way -- via spammed e-mail that includes a link -- and uses the long-patched Windows Metafile (WMF) vulnerability to silently install via a drive-by download on machines whose users simply surf to these malicious sites.

Once on a machine, the malware turns the PC into yet another "bot," or remotely-controlled computer. But Dunham, who called MetaFisher "the most sophisticated bot to date," said it has several unique technical tricks up its sleeves.

MetaFisher uses HTML injection techniques to phish information from victims after they've logged into a targeted bank account, said Dunham, which lets attackers steal legitimate TAN numbers (one-time PINs used by some banks overseas) and passwords without having to draw them onto phony sites.

Currently, MetaFisher is targeting Spanish, British, and German banks, and their customers.

iDefense, said Dunham, broke the encryption used to disguise the traffic between bots and their controllers, and has monitored that back-and-forth for several weeks. It's passed along the information to its parent company VeriSign, which has been working on taking down the sites used to drive-by-download the Trojan.

Increasingly, bots are being used by criminals to steal personal financial information using covert code and keyloggers. Last week, FaceTime, a Foster City, Calif. security company, disclosed details of a bot network, or botnet, that was exploiting vulnerabilities in back-end e-commerce shopping cart software to rip off consumers.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights