LAST-MINUTE PAPER: Gataka: a banking trojan ready to take off?

Jean-Ian Boutin ESET

Seldom do we see a new banking trojan with the size and complexity of Win32/SpyEye appearing. This happened last year with the discovery of Win32/Gataka: a banking trojan that is able to inject content in HTML pages and which exhibits a modular architecture that is easily extensible with plug-ins. Once installed on a computer, Win32/Gataka can be used by botnet operators to steal personal information. As of now, it has been used to steal banking credentials in various countries including Germany, the Netherlands and Australia.

This presentation documents the discovery of this banking trojan along with its internal design and its similarities with another well-known banking trojan: Win32/SpyEye. Among other things, both share the same webinject configuration file syntax. This is a good example of malware writer specialization: webinject files targeting specific institutions are interoperable between different malware platforms. We will also discuss advanced webinject configuration files and how scripts contained in these files can be used to automatically steal personal information and/or attempt fraudulent bank transfers. Finally, we will go over some of the campaigns we have tracked in the past year and show how this new strain of malware is targeting national institutions and how it is evading different two-factor authentication processes.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Jobs
In Virus Bulletin's jobs pages among others:

Virus Bulletin currently has 231,338 registered users.