The Internet is widely used to provide services to the general public. Services include financial services such as online banking, as well as online shopping. Criminals have not been slow to seek profit from the Internet.
“Malware” is a general term that refers to software designed to infect and/or damage a user's computer. An example type of malware is spyware that has been designed for illegal use. Such spyware records information entered by the user into a computer. The information is then forwarded by the spyware to an attacker. The attacker examines the recorded information to look for data such as the user's bank username and password that may have been entered by the user to access an online bank account. The attacker can then use the username and password to log onto the user's bank account and execute fraudulent transactions.
Spyware can also be used in combination with “phishing”. Phishing involves an attacker sending messages to recipients, mainly in the form of e-mails, with the message claiming to be from a legitimate organisation such as a bank. The message would typically request the recipient to provide their account details to the organisation, either by replying to the e-mail or by clicking a hyperlink contained within the e-mail. In the latter example, the user will be directed to a fake website designed by the attacker to deceive the user into thinking it is a legitimate website. Any details that the user provides, either by e-mail or through the website, are stored by the attacker for use in fraudulent transactions. In order to increase the effectiveness of a phishing attack, the attacker may use spyware to collect user specific information and tailor a phishing email accordingly.
Spyware can be introduced onto a user's computer by means of a so-called “trojan”. A trojan is a program that is installed unknowingly by a user and which can carry spyware as its payload. The trojan disguises itself either as legitimate software, or is downloaded and installed simultaneously with legitimate software. The trojan can also be sent as an e-mail attachment, for example being attached to a fake e-mail claiming to be from a bank so as to trick the user into installing the spyware. Once the spyware is installed it is designed to remain concealed and to monitor computer activity by, for example, performing keylogging, and on certain user actions to interfere with the functioning of the user's software. The data obtained by the spyware is sent to the attacker to analyse and recover sensitive details relating to the user, such as bank passwords and the like, so that the attacker can use the sensitive details to commit fraud. Trojans specifically designed to enact financial fraud are known in the art as “banking trojans”.
As well as introducing spyware, a banking trojan can install other types of malware which cause a user's web browser to be directed to an attacker's server even though the user enters a “trusted” web site address. The attacker's server operates as a middleman between the user's browser and the trusted server. Any data entered by the user is rerouted to the attacker's server and any information from the legitimate website can be edited before being displayed to the user. During the session the attacker's server can add or interfere with the user's transactions without the user knowing. An attack of this nature, where the attacker modifies data as it is being entered by the user, is known as a “Man-in-the-Middle” (MITM) attack.
Another form of rerouting attack used by banking trojans involves the malware rerouting traffic from a trusted web site to an attacker's server. This is known “Pharming” and involves the attacker's server presenting the user with a fake website which requests the user to enter their login details. The login details are stored by the server and the server informs the user that the website is down and asks the user to try again later. As the login requested by the user is not actually made, the collected login details remain “fresh”.
An even more dangerous form of banking trojan has now appeared. This type of banking trojan can introduce malware which does not need to capture actual data from the user, but rather only needs to capture the sessions in which the service transaction takes place. More specifically, the malware hooks into the web browser and no rerouting to an attacker's server is required. This type of malware is dangerous because it piggybacks on the valid authentication and authorisation mechanisms and does not need to know any details of these. In addition, it can circumvent end-to-end security mechanisms such as Secure Socket Layer (SSL) and Transport Layer Security (TLS).
On finding that the user is visiting an online bank, the malware modifies or adds transactions in order to transfer money from the user's account to the attacker's account. The malware would then arrange for the transferred money to be quickly withdrawn from the attacker's account. Typically, a local money laundering “mule” is used to withdraw the money, i.e. a person who is local to the user's country. This avoids the delay caused in transferring money between different countries and makes it very difficult for policing agencies to trace the person responsible for the crime.
Such malware identifies specific traffic using a list of sites (URLs) and other tags that the attacker wishes to target and comparing visited addresses against these URLs and tags. When the trojan installs the malware, it stores the list in an area of computer memory, possibly after downloading the list from a server that the attacker maintains if the trojan itself does not contain the list. The list would typically consist of banking strings including, for example, whole or partial banking URLs, regular expressions that match bank URLs, strings which match bank web pages (like “Welcome to . . . Bank” or “accountbalance.jsp”), any of the preceding strings that have been obscured to avoid identification, or cryptographic hashes of the preceding strings. For an obscured or encrypted list, the malware can identify the traffic by first obscuring/encrypting the traffic and then comparing the obscured/encrypted traffic against the list.
FIG. 1 illustrates schematically an example of how a banking trojan might operate. This involves circumventing the SSL or TLS encryption by injecting (Application Programming Interface, API) hooks into web browser functions that handle unencrypted traffic, i.e. the malware works with the sensitive data prior to encryption. Each time the user enters data into the browser, either as a URL or into a web form, the malware intercepts the data before the computer sends the data over the Internet. The malware searches the data for banking strings and, if a positive match is found, the malware activates a process for monitoring, adding, and modifying transactions. The malware would typically hook wininet.dll functions that are related to downloading web pages.
Conventional anti-virus applications identify viruses based upon virus signatures and heuristics, i.e. behavioural rules, using a search of the computer's hard disk. In the case of a crude banking trojan, it should be possible to scan the computer system and find a previously identified malware signature. In some cases, the malware will be in a packed form (both for reasons of efficiency and in an attempt to hide the malware) and hence the actual malicious code will not exist as such on the hard disk. At execution of the malware (e.g. on start-up of a computer), the code is unpacked and stored in the system memory (i.e. the computer's RAM). Of course, if a particular packed trojan has been detected by an anti-virus application provider, the provider can generate and issue a signature also for the packed trojan. Nonetheless, packing does allow attackers to “mutate” malware easily and quickly.
The signature approach works well providing that malware has been detected by the anti-virus application provider, and that a computer has been updated with the new signature(s). Of course this is not always the case, particularly as banking trojan attacks are often targeted (i.e. they are not “broadcast”) to keep their visibility low and to reduce the chances of anti-virus application providers generating and providing signatures for the malware. Furthermore, some malware may be able to hide itself from an anti-virus application, for example by intercepting memory calls by the application to filter out the malware code.
A heuristic approach is typically used in conjunction with a signature scanning approach in order to detect unknown or “cloaked” viruses. The former involves monitoring the behaviour of the computer system to look for suspicious behaviour and indicators. On finding such behaviour or indicators, the anti-virus application will notify the user, inform him or her of the program or file responsible, and possibly act to inhibit the malware and disinfect the computer.