New Trojan Disguises Malicious Traffic

The Trojan installs itself as an Internet Explorer helper object, waits for the user to enter information in specific Web site forms--particularly for online banking sites--then zaps the stolen data back to the attacker.



Websense raised the alarm Tuesday of a phishing Trojan that uses a new technique to cloak its activity.

The San Diego-based Web security company said that the Trojan, which installs itself as an Internet Explorer helper object, waits for the user to enter information in specific Web site forms -- particularly online banking sites -- then zaps the stolen data back to the attacker.

What's unique about the new Trojan, said Websense, is that it delivers that data via ICMP packets. Keylogging Trojans usually transmit purloined usernames and passwords via e-mail or a HTTP POST command. Both can be easily spotted.

"Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet," Websense's warning read. "To network administrators and filtering software, the ICMP packet looks like legitimate traffic."

Websense confirmed the new technique's effectiveness by infecting a system with the Trojan, then entering account information into the SSL-protected Deutsche Bank Web site. As expected, the Trojan captured the information and sent an ICMP ping to a malicious remote server.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service