Banking by Proxy with Trojan.Tatanarg

Banking Trojans are nothing new. They have been around for many years, considering detections such as the Infostealer.Bancos family date back to 2003. As more and more people moved to perform banking transactions online, Bancos created a huge and lucrative target for would be criminals to exploit.

Traditionally, banking Trojans typically just captured data traffic exchanged between the user and the online banking website. The captured information included the authentication information, which is collected and sent to the attacker by the Trojan for their use or to sell on to other parties for a profit. For as long as there has been banking Trojans, there has been a cat and mouse game between the banks and the criminals as each side respond to each other’s move to thwart the actions of the other. More sophisticated banking Trojans employ a man-in-the-browser (MITB) method that is designed to overcome defenses, such as SSL encryption and multi-factor authentication. MITB is achieved by monitoring and intercepting user activities in the browser in real time and modifying the HTML content inside the context of the browser, either to display false information to the user or to manipulate details of transactions sent from the user to the bank.

A Trojan that has come to our attention of late is Trojan.Tatanarg. As banking Trojans go, this one includes all of the expected functionalities and a few more. It is component-based, so the initial installer downloads several components that perform various functions. These functions include the following:

  • Killing other threats such as the Zeus Trojan. You may recall Trojan.Spyeye also had a functionality to kill Zeus Trojans. Zeus is clearly not only under attack from antivirus software but also from other malware, too.
  • Disrupting security software - this is relatively common in many malware samples.
  • Modifying HTML in the browser - this may be used to inject extra fields into authentication forms during login, for example.
  • Enables Windows remote access.

In addition to being able to just steal information, it also offers a back door, allowing a remote attacker to issue various commands to control the infected computer. Commands range from listing and terminating processes running on the computer, clearing browser cookies, executing arbitrary programs, to rebooting the computer.

One interesting feature of the Trojan is that it hijacks SSL/TLS connections between the browser and the bank. When an SSL connection is being established, the bank will send the client a certificate and a public key signed by the certificate that will be used to encrypt information that is exchanged. The Trojan injects itself between the bank server and the browser and forms a proxy service. On the bank side of the proxy, the Trojan uses the details provided by the bank to encrypt outbound traffic. On the browser side of the connection, the Trojan inserts its own self-signed certificate and neutralizes the certificate validation in the browser process to fool the user into thinking that the connection is secure. Users may think the site is secure because the URL will use the “https” scheme and the telltale sign that everybody is trained to look for–the closed padlock, which will also be shown in the browser.

When the user submits information in the browser, the information is encrypted using the Trojan’s details and is then intercepted and decoded by the Trojan. It also performs any manipulation required before it is subsequently re-encrypted (using the banks details) before being forwarded onto the bank for processing.

From our investigations, it appears that this Trojan may have been developed from the W32.Spamuzle code base (hence detected as W32.Spamuzle) back in Autumn 2010. Samples from October 2010 began to include features for proxy SSL connections and other more advanced features, which showed a significant change in direction. This may indicate that the makers of Spamuzle have decided that there is more money to be gained from stealing banking information instead of just sending spam emails.

In addition to our standard antivirus signatures, we have also created the IPS signature HTTP Trojan Tatanarg Activity to block back channel communications. So, users should ensure that their IPS protection is updated and active as well as antivirus signatures.

Thanks to Piotr Krysiuk and Peter Coogan for their input into this blog.