- Jan 24, 2011
- 9,378
Security researchers from Symantec warn of a new banking trojan capable of hijacking the SSL connections between browsers and online banking sites in a way that is hard to spot.
Variants of this malware, which Symantec detects as Trojan.Tatanarg, have been in circulation since last October, but its code is believed to be based on an older threat called W32.Spamuzle.
The trojan has a modular architecture, with separate components handling different tasks, and the functionality of most banking malware.
It can inject rogue HTML code into pages (man-in-the-browser attacks), disrupt antivirus software, uninstall other banking trojans and enable Windows remote access.
It also features a backdoor component through which attackers can issue commands to control the infected computers.
However, the most interesting functionality of this trojan is its ability to function as a proxy between browsers and SSL-secured websites.
This is achived by hijacking the legit SSL connection and establishing a new one on the browser end using a self-signed certificate.
More details - link
Variants of this malware, which Symantec detects as Trojan.Tatanarg, have been in circulation since last October, but its code is believed to be based on an older threat called W32.Spamuzle.
The trojan has a modular architecture, with separate components handling different tasks, and the functionality of most banking malware.
It can inject rogue HTML code into pages (man-in-the-browser attacks), disrupt antivirus software, uninstall other banking trojans and enable Windows remote access.
It also features a backdoor component through which attackers can issue commands to control the infected computers.
However, the most interesting functionality of this trojan is its ability to function as a proxy between browsers and SSL-secured websites.
This is achived by hijacking the legit SSL connection and establishing a new one on the browser end using a self-signed certificate.
More details - link
