Dangerous Banbra baking trojan leads the way

This week’s report focuses on the Cimuz.Cs and Banbra.DUG Trojans, and the Atnas.A worm. The three samples are quite dangerous, especially Banbra.DUG, a banking Trojan that can seriously compromise user confidentiality and even affect their finances.

Banbra.DUG belongs to the Banbra family of Trojans. These Trojans were the most detected banking Trojans during 2006 and are designed to steal customers’ details for certain online banking services. Banbra.DUG watches whether users access certain online banking services. When they do, it displays a spoofed web page, which is very similar to the real one, in which users must logon by entering details such as their bank account numbers or password. Banbra.DUG stores the information and sends it by email to its creator, who will use it to steal the affected user’s money. As with all Trojans, Banbra.DUG cannot spread on its own, but requires users’ intervention to perform certain actions in order to reach computers, such as opening emails or downloading files.

The second Trojan in this week’s report is Cimuz.CS. Like the previous Trojan, Cimuz.CS watches Web traffic, not only stealing banking details but all the information users enter in a Web form. It is designed to steal data like the IP address, country, system ID, host, etc. from the infected computer, which it stores in a file called info.txt. It periodically sends all the information it has obtained to its creator, who can benefit from it.

Once again, these two Trojans demonstrate that the main motivation behind cyber-criminals’ activities is financial gain and that Trojans are one of the tools they most use.

Atnas.A is a dangerous and curious worm. Its danger lies in that it is designed to cause distributed denial of service (DDoS) attacks to certain websites. These DDoS attacks consist of various systems attacking a server or system at the same time until they use up the available bandwidth, disrupting its services. This worm also replaces files belonging to various security programs and P2P folders with a copy of itself, which it renames as if it were the original file, changing their original extensions. Atnas.A spreads by copying itself under the names of legal programs in shared folders with name related to P2P networks (like emule, Kazaa,-¦). In this way, if a name coincides with what users want to download, they will actually download the worm.

Atnas.A also creates a key in the Windows Registry so that it is run whenever Windows is started. The curious characteristic of this worm is that the first time it is run, it returns an error message, but from then on, it shows an image of a naked woman made up of letters. These messages can be useful for users to identify whether their computer has been infected by this virus.


Don't miss