There are many techniques used by malware in the banker family to steal user’s authentication credentials for online banking sites. We came across an interesting sample recently, detected as Trojan:Win32/Banload.A, which uses a remote proxy script in order to target online banking sites and facilitate data theft.
When Trojan:Win32/Banload.A is executed, it opens an Internet browser to a certain animation site to trick the user into thinking that it’s nothing but an animation file:
However, the cute animation masks the main objective of this trojan, which is to modify the web browser settings to use a Proxy Automatic Configuration script… And once set, that’s it! Mission accomplished! This malware’s job is done, for now…
By using a proxy configuration script, the trojan sets the user’s Internet connection to be routed through a proxy server.
Affected users should note that in the case of Trojan:Win32/Banload.A, because it makes changes to the proxy settings, removing the malware will not be enough to fix an affected computer and return it to a pre-compromised state. The configuration settings will need to be fixed manually. Without changing these settings, while the remote script remains available, the affected computer will still be utilizing it. The script effectively moderates the affected user’s Internet use – possibly providing false information and redirecting the user away from sites of their choice to sites of the attacker’s choice – with the affected user being none the wiser.
MMPC downloaded the Proxy Script from the URL (shown in the above graphic) and found it to be malicious; we detect it as TrojanProxy:JS/Banker.B. It contains code that monitors for online banking sites visited by the affected user, and redirects traffic to a proxy server that could result in the theft of authentication credentials or other sensitive information.
In order to change these proxy settings:
1. In Internet Explorer, click the Tools menu, and then click Internet Options.
2. Click the Connections tab, and then click LAN Settings.
3. In the Automatic configuration area, de-select Use automatic configuration script.
4. Click OK.
For more information about using automatic proxy configuration, see the following articles:
Jonathan San Jose