A new botnet has been detected that steals passwords and login credentials, with more than 100 financial and banking domains targeted.
Named the ‘Jericho' botnet, it was detected by Palo Alto Networks, which claimed to have discovered 42 samples of it and said it is a variant of banking Trojans such as the stealthy Jorik.
Palo Alto said its WildFire detection network found the unique but related banking botnet samples. It also said that all infections were delivered from Israeli IP space, but the engineering of the file appears to be of Romanian origin; as the vast majority of the URLs used to deliver the malware ended in ierihon.com (Ierihon means “Jericho” in Romanian), it was named the Jericho botnet.
“But what's really interesting about Jericho is that like many other contemporary pieces of modern malware, Jericho demonstrates a number of behaviours that are designed for stealth, persistence and avoidance of traditional signature-based approaches to malware detection,” it said.
“The malware is able to inject itself into the Windows logon to maintain persistence on the infected host after a reboot. What was a bit more interesting was just how efficient the malware was at injecting itself into valid applications such as Firefox, Chrome, Java, Outlook and Skype, and then repurpose their capabilities. This not only enables the malware to hide within approved applications during run time, but it also means that standard methods for observing Windows API calls are subverted.”
It also claimed that of the 42 samples that were analysed, the top anti-virus solutions only achieved a 3.2 per cent detection rate on the day the sample was first detected. This slowly but steadily improved over time, with coverage improving to 39 per cent over seven days.