0 Tatanarg, the banking trojan… Beware!

Just yesterday, I came across the activity of a trojan names as Tatanarg. The trojan is so very cleverly designed to work that it is hardly possible for any media to detect its activity. It hijacks the SSL connection between the browser and the online banking sites, blocking the client antivirus notifications and uninstalling any other banking trojans present.
Lets quickly figure out how everything works out for the attacker:
Suppose the victim opens a secured online banking website. Assuming that the trojan is present there, the trojan injects an html code into the login page (Man In The Browser Attack). As I said earlier, it disables the antivirus notifications and kills other banking trojans if present in the victim’s computer. You may recall Trojan.Spyeye also had a functionality to kill Zeus Trojans.
Now that the trojan is done with the first part of its job, it starts acting as the proxy between the client browser and the banking site. The moment the user enters the login details and clicks on login button, the secured SSL connection gets set up between the client and the banking website, which sends its certificate and the public key signed by that certificate to the browser for encrypting the data to be sent. But this certificate actually gets hijacked by the trojan and it sends another self signed fake certificate to the victim’s browser along with some rogue public key, successfully passing the certificate verification issue. The victim details get encrypted by that fake public key, gets decrypted by the trojan instantly (as its still acting as an intermediate proxy).Hence the trojan gets to know the actual data that was being transmitted, which later forwards the message to the attacker.

The victim still feels that he is secure, as he can see the https prefix in the address bar, indicating a secured SSL connection. Just last week, Trusteer reported about a trojan dubbed OddJob which forces browsers to keep sessions open after users think they successfully logged out.

Tatanarg trojan also creates a backdoor to Windows Remote Access, keeps the attacker updated of the victim activities. The trojan is in action, so better beware before you get screwed.
Prevention: Keep your antivirus programs up to date to ensure you have the latest protection available. Also, if possible, online banking should be performed from a dedicated computer or a live cd.

Artikel Terkait :