Overview
We were looking last week at a compromised computer that was infected with the Silentbanker.B variant and we could recover all relevant files including the installer.
Initially the Silentbanker Installer was executed as a drive-by-download and as the Antivirus Engine had no signatures for it, it could install itself.
After that, the Silentbanker Trojan will use a number of techniques to steal confidential information:
- It downloads encrypted configuration files from the internet to stay up-to-date with the policies
- It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …
- It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.
- It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.
However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.
TrustDefender customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.
Technical Details
Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.
Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever 
If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.
Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C server located in Russia.
What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).
Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by german banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.
The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,
Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see http://www.virustotal.com/analisis/9e1c5e1c068fd0de61133594ca404519)
cheap is placed replica
cheap is placed replica watches under an ion fake watches beam. The data rolex is compared with replica rolex other bottles tag heuer from the cellars
the chateaux. replica watches
the chateaux. replica watches Any difference will fake watchesindicate the wine fake rolex is a forgery.Spanish replica rolex scientists invented breitling a contraption
mbt sandals sale
The mbt shoes online Suede is a great everyday mbt sandals with a sleek and smooth appearance. Give your muscles the attention they deserve in the office or other business settings. mbt mary jane shoes are constructed of high quality Nappa leather, providing comfort and lasting power! mbt fumba sandals made with the same patented Masai Barefoot Technology. mbt shuguli gtx features rich, split leather uppers with an adjustable mbt ema sandals hook-and-loop instep strap for a perfect fit. Wearing mbt changa denim shoes is like walking barefoot mbt panda sandals on springy moss or on a sandy beach. mbt fanaka gtx Shoes are healthy and fashionable.
ugg classic mini
Ugg Classic Short Boots are UGG Australia's original heritage styles. Ugg Classic Tall will keep your feet dry and the ultimate comfortable.You can dress the Ugg Classic Mini to feel top-level luxury feeling.The color of such Ugg Kids Boots is much bright which can make you more attractive. Ugg Ultra Tall is made of high-grade soft wool fabric that let your feet remain warm and comfortable.There are many different varieties of Bailey Button Ugg Boots | Ugg Bailey Button Boots | Ugg Boots Bailey Button for your choice. Just act quickly to buy the cheap Ugg Ultra Tall Boots | Ugg sundance boots !
good for sharing
Nike Air Max Shoes, not only is the sneakers of consolidating high-tech sporting but also emphasizing the fashionable outer designs, is working consquently together with fashion icons worldwide.We offer great products from nike air max 90, nike air max 95, nike air max 360, nike air max 2009 and many more, they are on hot sale.Our purpose is to offer a low cost alternative to high designer shoes prices. We listen to our customers, adding the latest men's and women's trendy styles.
Find nike air max running shoes and buy nike air max online, Kicksinfo,Inc. is your best choice. We can provide Fashion design High quality nike air zoom shoes for you. All products on our site are already marked down 30-60% off retail price.
Post new comment