NEWS FROM THE LAB - Tuesday, April 1, 2008

Unusual Banking Trojan Found Today Posted by Mikko @ 07:22 GMT

We've seen tons of banking trojans lately, but now we've run into something quite unique.

This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A.

It not only infects the MBR of the machine, but also re-flashes the boot code in the Flash BIOS, making disinfection problematic.

Once an infected machine is online, the trojan monitors the user's actions, waiting him to go to go to one of several hundred online banks, located all over the world.

Sample XML

Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim.

Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you — it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts.

The drive-by-download site is still up. Normally, we wouldn't list the URL for such a site, or we would at least obfuscate it in a screenshot. However this time we'll make an exception. We will even make the link clickable: http://aprilbanking.cjb.net/.