August 24, 2011

Trusteer, a Boston-based provider of computer security services, today announced it has discovered that an 18-month-old worm has morphed into financial malware and is attacking U.S. and U.K. banks' online security systems.

The vendor said it captured and reverse-engineered configurations from the well-known file-infecting worm Win32.Ramnit and found it has incorporated tactics from the Zeus financial malware platform, including the ability to inject HTML code into a web browser, which it is using to bypass two-factor authentication and transaction signing systems used by financial institutions to protect online banking sessions. Zeus was first identified in 2007 and is known to have affected millions of computers.

Ramnit was first detected in 2010 and targets .EXE, .SCR, .DLL. .HTML and other file types. According to Trusteer, the evolution of Ramnit into a fraud tool was made possible when the source code of the notorious Zeus financial malware platform was made freely available on the Internet earlier this year.

"The metamorphosis of Ramnit into financial malware is a sign of things to come now that the Zeus financial malware source code has been made openly available to anyone on the Internet," said Amit Klein, CTO of Trusteer in a written statement. "Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program -- old or new."

Microsoft has deemed the Ramnit worm as a "severe" threat, and said it steals sensitive information, such as saved FTP credentials and browser cookies, among other threats.

Ramnit represents about 17.3 percent of all new malware infections, according to Symantec.

ABOUT THE AUTHOR
Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as ...