Symantec spotted a trojan infecting a number of financial institutions today called Trojan.Stabuniq. The virus is a simple one, and it’s seemingly easy to remove, but its discovery highlights the importance of teaching employees about phishing attacks.
The virus attacks more than just banking institutions; 11 percent of those infected were Internet security businesses. Symantec suggests these companies may purposefully have the trojan installed for research purposes.
“A staggering 39 percent, however, belong to financial institutions,” Symantec said in a blog post. “These financial institutions had their outer perimeter breached as the trojan has been found on mail servers, firewalls, proxy servers, and gateways.”
Symantec further notes that the “the malware authors may simply be gathering information,” perhaps in preparation for something more advanced.
The trojan disseminates through phishing attacks. A phishing attack tricks victims into believing they are clicking on a safe link or downloading a known attachment, when in reality they are being served malware. These attacks can be very simple, such as a written email from a prince in Nigeria asking for bank account information. They can also be slightly more complex =, like “email spoofing” or making an email look like it’s coming from a trusted source.
After an employee falls for the phishing scheme, the trojan downloads to the computer, where it disguises itself among the system’s existing files. It might pretend to be a Java Quick Starter or InstallShield Update Service Scheduler — files that look normal on the surface. Then it starts monitoring and collecting the system’s information such as the name of the computer, the IP address, operating system version, any “running processes,” and so on.
These are sent back to the command and control servers and may also be sent to a number of remote locations including one called “bbcnews192.com.”