The Trouble with Horsies

by Uriel Maimon on 3/12/2007

I was sitting in the living room of my best friends' (G and his wife N) house the other night. They're a happening bohemian couple who live in the swinging, cool part of town, and they invited me over for a drink and "to have a talk" with me. The conversation started out light-hearted until they broached the subject of fixing me up on a date.

I was a bit hesitant and asked whether the intended lady was of fair stature and worthy intellectual capacity. At this, N's eyes started tearing up and she covered her mouth with her hand. G gave me a flinty-eyed stare. "Uriel," he said, "if I were you, I would not look a gift horse in the mouth."

My suspicion was further raised by the intended's inauspicious name: "Brumhilda". I was reminded of the advice my maternal grandfather gave me: "Don't look a gift horse in the mouth, but make sure it's not full of Greeks." This got me thinking (really, if you need to ask why, you haven't read my previous blog entries) about financial Trojan horses and how different they are from other types of malware out there from a business perspective. It seems there is no really suitable solution out there for financial Trojans, in much the same way as there seems to be a problem matching me up with the woman of my dreams.

For the purpose of this discussion a financial Trojan is any piece of malware that is designed for one or both of the following purposes: 1. Stealing credentials, personal information, or any other piece of information necessary for identity takeover, with the intent of using the stolen identity in order to steal funds 2. Performing unauthorized online transactions in order to steal funds; this includes Trojans which "hijack" the online banking sessions of infected users, and carry out fraudulent transactions after the user has logged out

The first category of Trojans includes Keyloggers, screen-scrapers, Pharming Trojans such as Torpig, Briz, Haxdoor, Banksniff - and many more.

The second category is more rare, and has been less publicized than the others, but include the e-gold Trojan and some variants of the Metaphisher Trojan.

So why are these Trojans different from any other sort of malware? The biggest difference is that, unlike with run-of-the-mill malware, there are two victims to these attacks: the end consumer (as with regular malware), and the financial institution which may be liable for the funds stolen - and which will, in any case, suffer substantial losses in terms of consumer confidence, reputation and customer relations.

So why are there no suitable solutions out there for financial Trojans? Let's consider the reasons:

1. Non-direct protection: Despite the fact that financial institutions can fall victim to financial Trojan attacks, they cannot directly protect themselves against these attacks as the malicious software resides on their customers' computers, and not on their own. Financial institutions usually cannot enforce their customers' use of appropriate anti-virus software, or ensure that signatures and patches are up-to-date, and so forth. This can leave financial institutions vulnerable and without any realistic measures to take other than making recommendations to their customers, and trying to provide high-level education in how to avoid becoming infected by crimeware (which is "less than successful" in most cases).
2. Awareness of the attacks: Unlike in the case of phishing, it's usually very difficult for a financial institution to know that it's being targeted by a financial Trojan. Most Trojans are passive and do not show any interaction with the end-user, lessening the chance that the customer would report anything to the financial institution. In addition, the financial institution cannot usually detect the attack from information in its own servers. Also, anti-virus vendors rarely publicize which institutions are attacked by a given piece of malware. The upshot of all of this is that Trojans are often the 'mysterious' cause of unattributable fraud losses. For example: a recent discovery of BankSniff Trojan logs showed 30,000 infected individuals in a given month. Not one of those individuals had been known to be infected with a Trojan at any of the banks attacked. Finally, the information reported by anti-virus vendors usually pertains to information on how to remove the malware or how it operates – but not on the business impact for the financial institution involved (such as what kind of credentials were compromised, or how the Trojan operated in terms of transactions).
3. Relatively ineffective solutions: current anti-virus solutions are rarely effective at protecting consumers from these types of Trojans – even when they do have anti-virus software installed(!). Why? a. Low coverage: financial Trojans are usually less widespread than botnet, spyware or other types of malware, which means that they are often harder to detect and usually receive a lower priority from anti-virus vendors b. "Insufficient impact": anti-virus vendors usually prefer to release updates for malware that has a noticeable impact on the consumer's machine. Since these types of Trojans are passive, again, they are likely to receive a low update priority c. Time-sensitive: unlike botnets or spyware, these types of Trojans are time-sensitive. Much damage can be done in the time it takes an anti-virus company to release an update d. The 'detection gap': studies based on the WildList Organization (http://www.wildlist.org) by AV-Test (http://www.av-test.org) show that most anti-virus vendors are not very successful at detecting new Trojans in the wild.

When comparing my love life to the plight of institutions facing financial Trojans, I can't help but feel better. Maybe I'll give Brumhilda a call.