Playing Cops & Robbers with Banks & Browsers

We are currently tracking a banking Trojan called Trojan.Neloweg. Looking at early infection numbers, we noticed that a small number of users were compromised in the UK and the Netherlands.

Digging into the threat, we saw that the login credentials of these users (including banking credentials) may have been stolen.  A partial list of affected bank pages can be seen below.

In order to see where other infections were occurring, we took a more global look at the infection numbers. Apparently the threat has been localized to Europe.

Trojan.Neloweg operates similar to another banking Trojan known as Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.

Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server. We are currently monitoring the threat to see what changes it is making to the banking pages that a compromised users visits.

In terms of popularity, Firefox and Internet Explorer combined make up over 50% of the usage statistics.  It is no surprise that Trojan.Neloweg would target these two giants. Interestingly, it also specifically targets a handful of browsers that utilize the Trident (Internet Explorer), Gecko (Firefox), and WebKit (Chrome/Safari) browser engines.  There are a few reasons why a range of browsers may be targeted. The most obvious one is to ensure that the bot infects as many targets as possible. The second reason is that some people use less well-known browsers for online banking in order to achieve security through obscurity. Targeting those less well-known browsers may mean that the attacker is more likely to infect a browser used for online banking.

Not only does it attempt to steal banking credentials, but also any other login credentials.  To achieve this, the malware authors give the browsers added bot functionality.

As can be seen from the screenshot above, the browser (Firefox in this instance) can now function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.

The way it integrates itself into Firefox is quite unique as well. In the past we have seen threats create malicious extensions. All users had to do was disable that particular add-on and they would be safe. For Trojan.Neloweg, this is not the case. Since it is a component, it does not appear as an add-on in Firefox’s Add-ons Manager, like other extensions and plugins do. Furthermore, because of the way Firefox is designed, Neloweg will be recreated and reinstalled every time Firefox attempts to connect to the Internet.

As threats go this is atypical. Not many bots are implemented within the browser itself.  Customers who have DeepSight accounts can read more details in our Trojan.Neloweg — Bank Robbing Bot in the Browser report.