A “private” banking Trojan competes with ZeuS

The recent surge of brand new banking Trojans continues to give us more things to worry about. The latest one is named “Feodo”, and it has been around for months now, but was probably considered to be a just variant of the more popular ZeuS and SpyEye malware.

Further analysis showed that even though it has some features in common with them, Feodo has its own characteristics:

• It is not the result of a crimeware toolkit and it seems to be used by a single cyber gang.
• It is also perfectly capable of executing a man-in-the-browser type of attack, by inserting its own cleverly crafted HTML pages asking for further details of the users – and even stealing HTML pages from the browsing session so that the attackers can recreate fake pages according to these stolen templates.
• The bot herders get all the information in plain text, since the malware starts sending the web form data as soon as a banking site is visited by the victim – before the data gets encrypted.

FireEye‘s researcher was also amazed by the number of target URLs contained in the Trojan’s configuration file, among which there are well-known and lesser known banks and financial institutions, and popular services such as Amazon, Gmail, Facebook, MySpace, and others. Altogether, well over a hundred different web sites are marked.

There are a lot of things that could work in favor of this Trojan. As of yesterday, its detection rate on VirusTotal was abysmal – only 2 of the 42 solutions were successful. Also, the Feodo’s code of sis private, so it can be changed by the gang whenever they need a new feature – no need to wait for a new toolkit.

And until other criminals get their hands on the code, it will probably be used only by this group. “Unlike Zbot which has become a victim of its own success, this malware can fly under the radar for a long time,” says the researcher.