A new Trojan program that installs itself through a pop-up advertisement was discovered. Once successfully installed onto the victim host, the Trojan program can read keystrokes and steal victim’s online bank identity and passwords when the victim browses any one of nearly 50 banking sites, which are already targeted by this Trojan program. These targeted banking sites include major finical institutions, such as Citibank, HSBC Bank, Barclays Bank, Samba Bank, and Deutsche Bank.

 

This malicious program appears to be a compressed .gif file named “img1big.gif” but actually this gif file is a compressed Win 32 executable file which contains two programs: one is a “file dropper”, which can install any executable concatenated to its body; the other is a Trojan horse program that insidiously capture victim’s finical identity information and passwords. This Trojan horse program is installed as a “Browser Helper Object” file, which appears as a DLL file.

 

Even if victims use HTTPS protocol to access online banks, their finical information is logged in clear text, because before data goes through the browser and is encrypted, the “Browser Helper Object” DLL file has already processed and grabbed the data.

 

After the Trojan horse program captures a victim’s online bank ID and password, it encrypts the data and sends it back to the attackers, who are believed to be in South America.