Tuesday, 25 November 2008 09:49

TrustDefender looks deep into banking trojan's soul

Banking trojans, such as the reviled “SilentBanker” trojan that is capturing unsuspecting and even anti-virus protected users by surprise and ripping money out of bank accounts, are digital curses upon not only users but the financial industry as a whole. Security experts TrustDefender take it apart in their latest blog entry.

If you use a Windows based computer to do your online banking, chances are that you have an up-to-date Internet Security package with anti-virus, anti-malware/spyware, anti-rootkit, firewall and more.

But the latest trojans can be like undetected viruses – if your Internet security doesn’t know about a particularly brand new threat, will you still be protected?

Chances are the answer to that question is “no”, no matter what commercial Internet Security suite you are using – or at least, not until that suite has updated its “definitions” to include the latest trojan, so it can be detected and dealt with.

Over the past couple of years, an Australian security company called TrustDefender has taken a completely different approach, with software able to detect and physically stop any malware on any Windows computer, be it known or unknown, from penetrating your online banking (or any other transactional session online) - even if your computer is infected with the toughest and sneakiest trojans out there, or new ones hot off the cybercrim’s programming malware press.

That’s what TrustDefender claim, and they’ve been recognised by the Australian Information Industry Association, winning an award (among others) in the financial category, and already have financial institutions offering TrustDefender software to their customers.

In addition, TrustDefender’s software works by making your computer a part of the bank’s security chain – the first software to do so.

It’s also completely browser independent, meaning it does not matter whether you are using Internet Explorer, Firefox, Google Chrome, Safari or something else, because browser independence means just that. You can find out more about how TrustDefender works on its website.

The company is led by Ted Egan, the CEO and co-founder and by Andreas Baumhof, co-founder and CTO. On TrustDefender’s blog, Baumhof regularly looks deep into the soul of the latest crimeware to understand the latest tricks, techniques and mindset of the malware programmer and online criminal.

The latest blog entry, dated November 24 2008, takes an “In-depth look at a Silentbanker variant (Silentbanker.B)”.

Baumhof, explains that last week he was looking “at a compromised computer that was infected with the Silentbanker.B variant”, and he took the opportunity to “recover all relevant files including the installer.”

How did this nefarious trojan get onto a compromised computer that Andreas was now performing some forensics on? Through the horrors of the drive-by-download and as the computer’s Antivirus software had no signatures for the Silentbanker trojan, it was able to install itself.

What TrustDefender found within is on page 2... please read on.

What Silentbanker does is to use a number of techniques to steal confidential information, and Baumhof explains:

“- It downloads encrypted configuration files from the internet to stay up-to-date with the policies

- It injects malicious HTML inside the current browser process to circumvent any browser based security solutions, including (EV-) SSL certificates, …

- It is a real-time Trojan that will transmit the stolen information instantly to circumvent any sandbox security solutions and 2-factor authentication devices. That also means that someone without your knowledge and without your approval is successfully authenticated. Even with a One-Time-Password.

- It uses userland-rootkit techniques to hide the malicious components from the harddrive to evade detection.

- However in the end, the Silentbanker Trojan is a very sophisticated BHO (Browser Helper Object) that works only with the Internet Explorer.”

TrustDefender explains that its “customers were protected against this by design with the Safe&Secure Mode and the Secure Lockdown.”

What are some technical details on the way SilentBanker works?

Baumhof explains that: “Once infected, the malicious BHO named mscorews.dll is loaded as a BHO from the Internet Explorer. However the interesting part is that once it is loaded, it will not be visible in the file system.

“Even more: Once the component is loaded, it will hide the file from the Windows API thus making the file “invisible”. Also the malicious DLL cannot be located through traversal of the module list of the Internet Explorer. In some sense, it does neither exist in memory, nor on the disk. Pretty clever.

“If the user now browses to a banking website that is known to the Silentbanker Trojan, it will inject the malicious HTML code.”

 At this point the TrustDefender blog includes a series of images to illustrate what is going on, which you can see at the blog posting.

Baumhof continues explaining that: “Now that the Trojan asks for addition private and confidential information from the user as opposed to the information the real bank login would ask. This information is collected and sent ‘in real-time’ to the C&C [command and control] server located in Russia.

“What happens if TrustDefender is deployed: With TrustDefender installed, when the customer logs in, we can also verify that the Secure Lockdown will successfully protect the user from having their confidential details stolen as the Silentbanker Trojan cannot send anything to anywhere (except the “real” SSL Certificate Fingerprints of Bank of America).
“Note: Another interesting fact is that this Silentbanker Trojan specifically targets the TAN (One-Time-Passwords) implemented mostly by German banks. This shows that there is only so much you can do on the server side and a full security solution has to include the client.

“The targeted banks for the TAN systems are: Postbank.de, Citibank.de, Deutsche-Bank.de, Norisbank.de, Seb-Bank.de, Fiducia.de (all Volks-/Raiffeisenbanken), Comdirect.de, 1822direkt.com, Haspa.de, Hypovereinsbank.de, Weberbank.de, Gad.de, Sparda.de, Mlp.de, Kaupthinedge.de, Psd-bank.de,” continued Baumhof.

Worryingly, Baumhof concluded that “Unfortunately the virustotal results of the malicious Silentbanker Module is quite disastrous (only 7 out of 36 Antivirus Engines detected the Trojan) last week. (see VirusTotal.com’s analysis for more details).”

It’s very interesting to note that today’s Internet Security suites do not contain TrustDefender’s capabilities, and that TrustDefender seamlessly works with any Windows security software making layered security solutions even stronger.

I wonder which security company will snap it up – and irrespective of that – when your bank or financial institution will announce it is offering TrustDefender to all its customers?

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News