A new banking Trojan has surfaced that combines a tried-and-true man-in-the-browser attack with advanced features capable of disabling the Zeus Trojan, according to new research from Symantec Corp.
"For as long as there has been banking Trojans, there has been a cat and mouse game between the banks and the criminals as each side respond to each other's move to thwart the actions of the other," Symantec researcher Hon Lau wrote in Symantec's Security Response Blog.
One of Tatanarg's utilitarian features is its ability to modify html in a browser, which is a common feature of MITB Trojans. This feature allows the virus to display false SSL icons or trusted site notifications and can add extra fields to Web forms. It is different from the recently surfaced OddJob banking Trojan, which can hijack a victim's banking session from a remote server. OddJob seizes browser session ID tokens to keep users logged into their accounts long after they think they've logged off.
Tatanarg also offers a back door allowing for full command and control of infected systems. Attackers can use the Trojan to do anything from terminate processes and run arbitrary code to completely shut down or reboot the infected computer.
"In addition to being able to just steal information, it also offers a back door, allowing a remote attacker to issue various commands to control the infected computer," Lau wrote. "Commands range from listing and terminating processes running on the computer, clearing browser cookies, executing arbitrary programs, to rebooting the computer."
Lau said Tatanarg steals banking data by forming a proxy service between the end user and their online bank. It intercepts the certificate and key distributed by the bank and uses that to encrypt outbound traffic, making the bank think that the traffic is coming from the user. On the end-user side, the Trojan generates its own certificate allowing it to decrypt any information it receives from the user. By generating its own certificate and modifying html in the browser, Tatanarg is able to trick the user into thinking they are using a secure connection.
Once the user sends the data, the Trojan decrypts it using its own certificate, steals it, performs any necessary manipulation, re-encrypts it using the bank's certificate and sends it off. This all happens with any noticeable user side hiccups.
Symantec said the Trojan may have roots with W32 Spamuzle, spam email sending malware that started to include advanced features such as support for SSL proxies in October 2010.