S21sec Finds Fresh Banker Trojan

According to the Spain-based S21sec, it has detected a fresh banker Trojan that conceals itself by utilizing a rootkit.

Named Tatanga, the most recent PC Trojan is actually quite advanced and the language used to write it is C++. It (Tatanga) pulls down several encrypted modules of Dynamic-Link Library that when inserted inside various processes or the Web-browser for escaping anti-virus programs are decrypted inside the computer's memory.

And similar to other PC-Trojans of the current type, Tatanga utilizes a configuration file that's encrypted. Moreover, there are elements in this file that are specific to countries affected. Thus Tatanga impacts banks in UK, Portugal, Spain and Germany. Actually, based on which bank is targeted, Tatanga quietly snatches users' credentials for executing spurious transactions while a banking session goes on.

State the researchers at S21sec, the Trojan has a module that harvests e-mail while taking care of encrypted communication and one more that eliminates rival trojans like Zeus. There's another module, which deactivates anti-virus software, while taking care of the configuration file that's encrypted, a patcher for files, and the HTML for inserting components.

Furthermore, according to the researchers, the modules called ModMalwareRemover and ModEmailGrabber, were possibly employed in a botnet during 2008, therefore the current situation possibly has come about due to that malware's evolution. Softpedia.com reported this on February 26, 2011.

Evidently, the above may indicate as to why Microsoft names the latest variant as Mariofev.B. On October 7, 2008, the company included an identification for Trojan:Win32/Mariofev.A.

The Trojan sends and receives messages from the C&C server through 7 Internet sites, which work like proxies; however, it has too weak a communication encryption.

Furthermore, Tatanga attaches onto explorer.exe as well as can insert HTML inside Google's Chrome, Mozilla's Opera, Firefox and Minefield, Microsoft's Internet Explorer, Safari, Maxthoon, Konqueror and Nestscape etc.

Eventually, the most recent finding indicates that there, in fact, is a rise in banker Trojans. During the end-week of February 2011, Trusteer another security company found the new "OddJob" a Trojan created for stealing from end-users' Internet bank accounts as it compromised their Internet banking sessions through the theft of session IDs.

Related article: S.Korean President Cites Spam as Crime Threatening Internet Users’ Trust

» SPAMfighter News - 3/10/2011