The following is a list of our top five most commonly viewed encyclopedia pages last month:

  1. TrojanSpy:Win32/Bancos.gen!A
  2. Program:Win32/Antivirus2008
  3. Trojan:Win32/Vundo.gen!H
  4. Win32/Vundo
  5. Win32/Virtumonde

The trends appear quite similar to the month prior: the most popular encyclopedia entry is still Bancos, and we still have several Vundo pages in the list. We covered Vundo last month, so I'll go into a little more detail about the Bancos trojan.

Bancos is a password stealing trojan that originally targeted Brazilian on-line banking users. It's a relatively old and diverse family- we've been detecting it for several years now and have seen thousands of unique samples. We first added it to MSRT in September 2006. We've seen Bancos distributed via virtually all the usual propagation vectors: spam emails, browser exploits, p2p, irc, disguised as other software, dropped by other malware, just to name a few.

Bancos exhibits a wide variety of behaviors- however essentially all variants attempt to steal banking or financial passwords using one (or several) common techniques. Some examples of these techniques include redirecting users to fake pages, monitoring keystrokes, interfering with browsers, searching for cached passwords, etc.

After it has started, Bancos typically will search the system for cached passwords and then remain memory resident waiting for a browser window with a title that it's been instructed to look for. If a victim visits a page with a page title that the trojan is looking for, it will typically either capture data or present the user with a false version of the page enabling it to capture the victims credentials.

Once found, credentials are transmitted back to the distributor (often via email or ftp). We've seen quite a few samples using mail servers belonging to large web-mail providers being used to send the stolen credentials, often to yet another web-based e-mail account.

The bottom line is: change your passwords regularly. Particularly after finding (and removing) any malware running on your system. Even if the threat is removed, your passwords may have already been leaked. :(

Be careful out there...
Tareq Saade