LAST-MINUTE PAPER: Gataka: a banking trojan ready to take off?
Jean-Ian Boutin ESET
Seldom do we see a new banking trojan with the size and complexity of Win32/SpyEye appearing. This happened last year with
the discovery of Win32/Gataka: a banking trojan that is able to inject content in HTML pages and which exhibits a modular
architecture that is easily extensible with plug-ins. Once installed on a computer, Win32/Gataka can be used by botnet
operators to steal personal information. As of now, it has been used to steal banking credentials in various countries
including Germany, the Netherlands and Australia.
This presentation documents the discovery of this banking trojan along with its internal design and its similarities with
another well-known banking trojan: Win32/SpyEye. Among other things, both share the same webinject configuration file
syntax. This is a good example of malware writer specialization: webinject files targeting specific institutions are
interoperable between different malware platforms. We will also discuss advanced webinject configuration files and how
scripts contained in these files can be used to automatically steal personal information and/or attempt fraudulent bank
transfers. Finally, we will go over some of the campaigns we have tracked in the past year and show how this
new strain of malware is targeting national institutions and how it is evading different two-factor authentication
del.icio.us digg this