A UK-specific banking malware is hitting users and proving difficult to detect for anti-virus vendors

News by Dan Raywood

Warnings have been made about a piece of banking malware that specifically targets UK banks.

Warnings have been made about a piece of banking malware that specifically targets UK banks.

Mickey Boodaei, CEO of Trusteer, claimed that Silon works as a ‘man-in-the-middle' attack and specifically targets the login page, and to date only one out of 41 anti-virus detections have been made. He said that it was able to target web pages ‘on the fly' and collects logon information, including one-time passwords.

He said: “As an .exe file it looks different on each computer so it is hard for anti-virus to detect it. The bottom line is we are facing a very sophisticated piece of malware that is flying under the radar of anti-virus vendors and it is distributed to large customers and bypassing rules put in place. It is the ultimate piece of malware.”

Commenting on it specifically targeting UK banks, Boodaei said that it will target two or three banks where it needs to recruit mule accounts, and once it is mastered its controller can commit a lot of fraud.

He said that cyber criminals ‘all use Zeus but there is no real connection between operators'.

“This is something that makes sense for an original crime group to develop for themselves and you will not see it anywhere else, like Zeus it is platform specific and in the future it may be used in other countries, we cannot really tell.”

He commented that there was a need for banks to understand how malware works and then they can do things with it, and understand how bypassers work so they can tweak their settings. He said that it is spreading by email, web and by using botnets.

Asked about detections and how many infections there have been, Boodaei said that he did not have specific details, as every piece of malware is different.

Data from Prevx showed that it first saw attacks on the 4th September last year and until yesterday it had seen 97 agents with 50 unique executables. Of those variants, the highest was with 17 detections of one file name. Echoing Boodaei's comments of how unique it is, most filenames had only one agent seen.

Prevx also found that the largest detection was in October last year, with another peak in November.

This week also saw Trusteer introduce its ‘Flashlight' remote fraud investigation and mitigation service that identifies the attack source, gathers samples from the customer machine and can reverse engineer the mechanism used by the malware to commit fraud.

Boodaei said: “The bank will get a full report of who is tracking who and if there is something new, such as Silon. It is a service that allows banks to be in control of fraud and threats. The bank can see fraud incidents for each customer too, Rapport protects the customer and Flashlight feeds back to what has happened.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews