The Latest in IT Security

Malware Automates Hacking


A lot of the developments that occurred in the computing world for the past years involved the automation of day-to-day tasks. These developments have made peoples’ lives so much easier, therefore causing the development of a dependency to them. Paralleled by the innovations, however, is their abuse, which cybercriminals employ in their malicious schemes that have one goal in mind: to gain profit.

This very reason – profit – has proven to be a sufficient motivation to blackhat hackers to constantly innovate in terms of attacking computing security technology. They research, explore, and develop malicious programs we call today as “malware”. Although these malware are continuously developed whether to become more resilient to anti-virus solutions or to be more effective on whatever payload they are intended for, the threat trend suggests one consistent picture: malware is automated hacking.

Manual Hacking in the Early Days

As an example, during the early days of hacking, everything had to be done manually. Hackers needed to manually check computers for weaknesses or open ports to be able to hack their way into a target machine. Once they are in, they also execute their intended actions manually, based on their intention.

Today, various tools like vulnerability scanners and port scanners are widely available over the Internet. Backdoor malware can remotely manipulate a compromised machine, and worms automate the spreading of malware through self replication. Even the generation of malicious files can be automated through the help of malicious toolkits.

Information, and Financial Theft

Given the trend of malware advancements today, one may assume that pretty soon, cybercriminals will just spread their malware over the Internet, watch TV, and wait for stolen money to be deposited in their bank accounts (if this is not already the norm). Something that, interestingly, we’ve started to see materialize in the form of TSPY_BANKER.PHT.

TSPY_BANKER.PHT is a banking Trojan that specifically targets users associated with the Brazilian bank, Banco do Brasil. Upon stealing user account information, this malware attempts to automatically transfer money to a pre-defined account. This is similar to a feature seen in ZeuS and Spyeye called Auto Transfer System (ATS). Here is a screenshot of a dump of TSPY_BANKER.PHT’s code:

Highlighted in the above screenshot are the hardcoded malicious account name and number (blurred) and the amount of money (in Brazilian Real) that it will attempt to transfer. It also uses TED (Electronic Funds Transfer), to accomplish the transfer. TED is a money transfer system wherein the money is available to the recipient within few minutes. This money transfer is only for transactions that involve high amount of money, specifically those above R$ 3,000.00. According to Senior Threat Researcher Ranieri Romera, cybercriminals may have targeted TED because of the amount of money involved. Also, users who use TED can no longer cancel a transaction once it’s confirmed. However, most people in Brazil do not have that amount in their account, thus the malware had low efficiency, but it could incur high damage once users become victims.

This is a threat definitely worth keeping an eye on, as it does not only cause information theft for the affected user, but also immediate financial loss.

The difference is that ATS needs to communicate first with the C&C before performing money transfer while TSPY_BANKER.PHT automatically does this by itself.

With more and more malicious activities being done automatically through malware, it looks like there will be more challenges for the security industry in the future. What we may know as highly-targeted attacks today may one day be just malicious codes operating independently for their malicious creators.

Thanks to Trend Micro Researcher Ranieri Romera for providing us the sample of TSPY_BANKER.PHT.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments