The Computer Clarity Blog

By Daily Mail Reporter
Last updated at 2:11 PM on 11th August 2010

• Trojan is still at large and may strike again, experts warn
• Bank affected has still not been named

Thousands of British online banking customers have fallen victim to a sophisticated attack by cyber criminals who have stolen thousands of pounds from their accounts.

About 3,000 online banking customers have been victims of a computer virus attack that empties their accounts while showing them fake statements so the scam goes undetected.

Experts have described the attack using a ‘Trojan’ virus as the most sophisticated and dangerous malware program ever created.

The cyber criminals stole an estimated £675,000 between July 5 and August 4 and the attack is still progressing, experts warn.

Out of action: The new Trojan virus can empty bank accounts without their owners knowing about the theft as it shows them fake statements

The latest virus is a variant of the Zeus Trojan banking virus which first emerged three years ago and is called Zeus v3. 

M86 Security said: ‘We’ve never seen such a sophisticated and dangerous threat. Always check your balance and have a good idea of what it is.’

The scam was discovered after M86 gained access to the command-and-control server in Eastern Europe running the thefts.

How to protect yourself from Trojans when banking online

• Make sure your anti-virus software is up to date.
• Keep firewalls set to the highest level.
• Never open an e-mail attachment from someone you don’t know.
• Never double-click on an e-mail attachment that ends in .exe. It is an ‘executable’ file and can do what it likes in your system.
• If you think your machine has already been infected, contact your bank immediately. If the bank thinks you are a genuine victim of fraud it will reimburse you.

It collects data such as passwords and even transfers money out of accounts automatically, but only after checking if there is at least £800 available.

Bradley Anstis, M86 vice-president of technology strategy, said: ‘This is an extremely sophisticated version of the virus and it cannot be detected by traditional security software.’

The company said it was the most-sophisticated and dangerous virus yet seen and advised online banking users to check their balances regularly and have a good idea of what it should be. 

British high street banks do not believe they have become victims of the cyber criminals.

A spokesman for HSBC said: ‘There are millions of viruses and other malicious software.

We urge people to take basic measure to protect themselves from virus attacks.

Any customer who is a victim of fraud will be reimbursed by HSBC.’

However, M86 said it believed one high street bank was breached and failed to act quickly after warnings last month.

More than 100,000 PCs in Britain have been infected with other forms of the Trojan virus.

McAfee Inc, the security software maker, said production of software code known as malware, which can harm computers and steal user passwords, reached a new high in the first six months of 2010.

McAfee said total malware production continued to soar and 10 million new pieces of malicious code were catalogued.

What is a Trojan?

• A Trojan is a type of computer virus that infects your PC
• It is called a Trojan because it will disguise itself as a useful application but when installed can take control of a user’s computer
• It can let a hacker take control of your computer or simply wipe the hard drive
• It can also be used to install key logging software which will let the hacker know what you are typing and give him access  to your passwords
• Trojans are now the most popular form of computer virus or ‘malware’

It also warned users of Apple’s Mac computers, considered relatively safe from virus attacks, that they may also be subjected to malware attacks in the future.

‘For a variety of reasons, malware has rarely been a problem for Mac users. But those days might end soon,’ a spokesman said.

‘Our latest threat report depicts that malware has been on a steady incline in the first half of 2010,’ Mike Gallagher, chief technology officer of Global Threat Intelligence for McAfee, said in the report that was obtained by Reuters.

Last year £59.7million was lost to online banking fraud, according to Financial Fraud Action UK.

Another £440million was lost to credit card fraud.

And the problem is said to be on the rise, with criminals attacking banks’ customers rather than the banks themselves as they are seen as softer targets.

A Financial Fraud Action UK spokeswoman said: ‘The idea that criminals are targeting people by using malicious software or Trojans is nothing new.

Bank systems are hard to attack so they have to go through the easier link in the chain, which is the customers.

They’re hoping customers aren’t taking security precautions. We’ve been seeing this for the last few years and we’re constantly urging people to protect their computers to try to mitigate the risk of becoming a victim.’

Victims of online banking fraud are generally refunded the money.

Computer Clarity

Trojan Horse Email

Trojan horse email offers the promise of something you might be interested in—an attachment containing a joke, a photograph, or a patch for software vulnerability. When opened, however, the attachment may do any or all of the following:

• create a security vulnerability on your computer
• open a secret “backdoor” to allow an attacker future illicit access to your computer
• install software that logs your keystrokes and sends the logs to an attacker, allowing the attacker to ferret out your passwords and other important information
• install software that monitors your online transactions and activities
• provide an attacker access to your files
• turn your computer into a “bot” an attacker can use to send spam, launch denial-of-service attacks, or spread the virus to other computers

What to Look For

Trojan horse emails have come in a variety of packages over the years. One of the most notorious was the “Love Bug” virus, attached to an email with the subject line “I Love You” and which asked the recipient to view the attached “love letter.” Other Trojan horse emails have included the following:

• email posing as virtual postcard
• email masquerading as security bulletin from a software vendor requesting the recipient apply an attached “patch”
• email with the subject line “funny” encouraging the recipient to view the attached “joke”
• email claiming to be from an antivirus vendor encouraging the recipient to install the attached “virus sweeper” free of charge

Computer Clarity

As has become tradition, PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has published its 2009 Virus Yearbook, reviewing the malicious codes that have appeared over the last 12 months and examining those that have stood out for one reason or another.
Rather than a ranking of the most widespread viruses, or those that have caused most infections, PandaLabs has selected those which, either for their use of social engineering or their visible effects on computers, stood out most last year. For this reason, some of the more well-known malicious codes (such as the Koobface virus) are absent from the list.

So here are the viruses we believe deserve a mention:

- The biggest headache. There can be no doubt that Conficker.C has been the most obnoxious virus over the last 12 months. It first appeared on December 31, 2008, and has spent the last year causing serious infections to companies and home users alike. The insidious and tenacious nature of this malicious code has earned it first place in our ranking.

- The Harry Potter of viruses. Although there is no reference to the world’s most popular fictional wizard, the on-screen messages Samal.A displays are all about magic. When it infects a computer, users will see the message “Ah ah you didn’t say the magic word” (see photo on Flickr), and the cursor then flickers waiting for users to enter a word. The truth is, it doesn’t matter what is entered, because after three attempts, the phrase “Samael has come. This the end” (see photo here), will be displayed and the computer is restarted.

- V for Vendetta. We still don’t know who is the real target of this vendetta, but DirDel.A wreaks vengeance on infected users, progressively replacing folders in different directories with copies of itself. The worm is carried in a file called Vendetta.exe with a typical Windows folder icon (see photo on Flickr).

- Plane nuisance. The Sinowal.VZR Trojan has infected thousands of computers under the guise of plane tickets supposedly purchased by the user (see photo on Flickr).

- The all-action virus. We are talking about Whizz.A. Once infected, computers will start emitting a series of beeps, the mouse pointer moves uncontrollably around the screen, the CD/DVD tray opens and closes, while the screen is ‘decorated’ with a row of bars like those in the image.

- The snooper. Waledac.AX ensnares its victims by claiming to offer a free application for reading SMS messages on anyone’s cell phone. Ideal for those that want to check up on their partners. Perhaps that’s why so many users fell victim to this intelligent virus.

- The most affectionate. BckPatcher.C tops this category, as it changes the desktop wallpaper to an image reading “virus kiss 2009” (see photo on Flickr. What a charmer!

- A touch of the sniffles. We couldn’t fail to mention here a couple of the viruses,WinVNC.A and Sinowal.WRN that used the widespread alarm surrounding swine flu to trick users and infect their systems.

- And the award for incompetent newcomer goes to… Ransom.K. This Trojan encrypts documents on infected computers, and then asks for a $100 ransom to release them. However its reator, probably lacking in experience, included a programming error which allows users to release the files with a simple key combination.

- The most deceitful. This year, the winner in this category is FakeWindows.A, which infects users by passing itself off as a license activation process for Windows XP.

- The party animal. Banbra.GMH arrives in an email promising photos of Brazilian parties (with dancing girls included)… Who could resist?

Computer Clarity

This week’s PandaLabs report looks at two new fake antiviruses and a Trojan.

Safety Antispyware and InternetSecurity 2010 are malicious programs that try to pass themselves off as legitimate software applications in order to steal users’ money by tricking them into believing that they will eliminate threats that actually do not exist.  For more information about this type of malware read “The Business of Rogueware”, a report on fake antivirus programs written by Luis Corrons and Sean-Paul Correll, PandaLabs researchers.

This report is available at:http://www.pandasecurity.com/img/enc/El%20Negocio%20de%20los%20falsos%20antivirus.pdf.

Safety Antispyware tricks users by warning them their computers are infected by (non-existent) threats, prompting them to buy a program to remove them. This program can be downloaded from the vendor’s site. The link can reach users through spam messages, fraudulent Web pages, etc. The fake antivirus shows an icon similar to that of real antivirus programs. Once installed, the program interface opens and runs a full system scan looking for malware.

You can see an image here:http://www.flickr.com/photos/panda_security/4208462422/

Then, it shows a series of messages prompting the targeted user to buy the product.

(http://www.flickr.com/photos/panda_security/4208462446/)

If the user decides to follow the program instructions to get rid of the ‘threats’, they will be asked to enter an activation code and be redirected to a website to buy the product. Once run, InternetSecurity 2010 scans the computer for malware. However, this is a fake scan that always reports that the computer is infected. Then, it offers users the possibility of disinfecting the computer. As the fake antivirus version is supposedly a trial version, users are first requested to buy the antivirus license. To this end, the malware opens the user’s Internet browser on the fake antivirus purchase page.  To reassure users that the purchase is safe and the antivirus is legitimate, it shows certificates of authenticity and claims to have been tested by McAfee. It even offers the antivirus license for a long time, apparently at a good price.

See an image here:http://www.flickr.com/photos/panda_security/4207698275/

If the user decides not to purchase the antivirus, it will keep running and displaying warnings about the threats the user is exposed to if they remain infected and do not update the antivirus. These warnings are displayed in two ways: through warnings on the toolbar or on-screen pop-up messages.

Banker.MAI is banker malware aimed at stealing banking data, credentials and/or credit card details when users try to log in to their online banking services.  This malware goes memory resident and does not show any symptoms that warn of its presence on the affected computer. The malware works in the background, waiting to be run, and send or receive data.  Banker.MAI arrives as a self-extracting RAR file attached to an email message, usually with the subject “Comprovante Deposito-29092009″. This email message appears to come from a legitimate banking institution, and asks the user to open the attached file to enter some necessary data. If the user opens the file they will become infected. The malware creator is notified via email whenever a computer is successfully infected.

More information about these and other malicious codes is available in the Panda Security Encyclopedia http://www.pandasecurity.com/homeusers/security-info/.

Computer Clarity

Facebook is a favorite hunting ground for hackers. The vast pool of users offered by this popular social network and the ease with which accounts can be hacked make it a highly attractive channel for spreading malware. Such is the case with the latest variant of a well-known worm: Koobface.GK. The bait consists of a Christmas greetings video hosted on a YouTube page. On playing the video, or clicking a link on the page, users will download and install the worm. Image available here

When the virus is installed on a computer, the following image appears and if users fail to enter the corresponding ‘captcha’ (Completely Automated Public Turing test to tell Computers and Humans Apart), it threatens to reboot the computer within three minutes. When the three minutes are up, nothing happens, but the computer is rendered unusable. Every time the captcha text is entered, the worm registers a new domain where the video will be hosted in order to continue being distributed.

According to Luis Corrons, Technical Director of PandaLabs, “social networks have become one of the methods most frequently used by hackers to spread their creations, due to the false sense of security many users have regarding the content published on these networks. Users generally trust the messages and content they receive, and consequently hackers get a high level of response through these channels”.

Christmas: hackers’ favorite time of year

Internet users often send Christmas greetings to their family and friends over the Web. Infection figures are always high at this time of the year, as new viruses emerge that take advantage of this increased user activity.

Every Christmas we see new malware designed specifically for the festive season:

- MerryX.A appeared in 2005. It reached users’ computers in a Christmas greetings email with an attachment. It was really a Trojan designed to capture keystrokes and steal information. It managed to infect over 50,000 Internet users in only a week. More information

- Zafi.D. Although this worm appeared in 2002, it is still distributed through emails that use Christmas greetings as bait. It opens a port on the infected computer without users’ knowledge and downloads another Trojan.

- The Navidad (Christmas in Spanish) malware family has numerous variants. These astute worms appeared in 2007. They are difficult to detect because they reach computers as a reply to an email which has previously been sent to another (infected) recipient. The message includes the Navidad.exe file which infects computers when run.

Here are a few security tips from PandaLabs when using social networks:

1) Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, and through other social networks and even via email.

2) If you click on the links, check the target page. If you don’t recognize it, close your browser.

3) Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.

4) If you do download or install an executable file and the PC starts to launch messages, there is probably malware on your computer.

5) As a general rule, make sure your computer is well protected, to ensure that you are not exposed to the risk of infection from any malicious code.

Computer Clarity