Security Blog

IKARUS as trailblazer – only 3 antivirus vendors protect customers from infection*

Screenshot analysis banking Trojan

Screenshot analysis banking Trojan

In 2014, bank customers were victim yet again to SPAM attacks. In an email, customers were told that they would find an invoice in an attachment, which, however, ended up redirecting them to a banking Trojan. The end result for one victim in particular was that €35,000 was found to be missing from their account a few days later. “As soon as we notice malware like this, we implement the technology necessary to protect our customers from it. This is completely normal procedure and nothing unusual for IKARUS”, says Gaspar Furtado, a specialist for malware analysis at IKARUS. But the benefits are not limited to Austrian customers; the email mentioned above spread right around the world and found countless victims in Switzerland, Sweden and even in Japan, victims that were protected thanks to their application of IKARUS technology.

At the beginning of May, researchers from several antivirus vendors got together at a well-known security conference in order to exchange new information and knowledge. “The banking Trojan, which had been familiar to us since 2014, was still a hot topic. An entire presentation was dedicated to the topic since so many people had already been affected”, as Gaspar Furtado, specialist for malware analysis at IKARUS, reports, himself a participant at the conference.
More than two weeks have passed since this meeting. Most reputable antivirus vendors have heard of the banking Trojan and are long since back in their offices. Now you would think that, the Trojan having been made public knowledge, you would be protected in any case by any antivirus product, but you would be mistaken. A visit to the independent site, where files can be uploaded at any given time for analysis by 57 antivirus vendors in order to establish whether or not the data is infected, provides clear results: out of 57 antivirus vendors only THREE antivirus vendors detected the banking Trojan. All others find the file safe and therefore will not protect their customers in the event of such an attack. Gaspar Furtado sums up the unfortunate reality of the situation: “The customer is simply put at risk when he could be protected but isn’t – one wrong click when he’s not paying attention and the money’s gone”.


What does a banking Trojan do?

A banking Trojan can operate in various ways. Normally, there are two typical activities:

  • it either taps the access data for the bank account (i.e. authorised party and password)
  • or it adopts the man-in-the-middle approach, doctoring payee or amount details on transfers.

In the latest version of the Trojan referred to above, the attack works in the following way:

  1. The Trojan alters the DNS server or configures its own choice of proxy server
  2. A root certificate is installed so that the user does not receive certificate warnings any more
  3. The next time the user accesses the bank website, he is redirected to a copy of the site which is not the real bank website; no warning is given because of the faked root certificate
  4. When the user logs on to online banking, his login data is tapped
  5. The user then receives directions to install an app
  6. As soon as the app has been installed, the hackers can read and filter all SMS communication, giving them full control

Tips from the IKARUS experts:

  • Always check your TAC-SMS to make sure payee and amount are correct
  • Never install apps when you don’t know further details about them
  • Don’t open mail attachments from unknown senders
  • Always check the URL of your online banking site
  • Use an antivirus product on both your PC and your smartphone

* Last updated on 27th May 2015 - Actual scan on virustotal

© 2019 IKARUS Security Software GmbH