- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
March 04, 2006 | Comments: (0)
More on SSL trojans
SSL trojans are a huge threat!
I finally got a chance to examine some SSL trojans in more detail. Basically, there are, and have been for over a year, Windows trojans capable of MitM attacking SSL connections. My latest InfoWorld column (http://www.infoworld.com/article/06/03/03/75970_10OPsecadvise_1.html)summarizes one of the trojans.
Since I found the first one, I've learned that there are at least a few different variations. They use different methods, but do the same thing-criminally target banks and other e-commerce site customers, and steal logon credentials. They do this by injecting themselves onto the host, and inteceding with the legitimate SSL transaction in such a way that the browser's SSL icon does not change (i.e. it keeps showing the legitimate digital certificate).
Researching more, I found a site that appears, to me, to be responsible for a whole slew of the trojans. If you read their technology page on their web site, it will give you chills. Not in that they are doing something we thought impossible, but because they are selling their wares openly on the Internet.
I've rec'd samples from a few banks now, and it is my belief that these types of trojans are responsible for losses in the millions of dollars (just spectulation). The banks contacting me (under NDA) are reporting that 100's of customers are impacted. Imagine how many customers aren't complaining yet.
Some of the trojans I'm examining have over a 1000 e-commerce and banking web sites hard coded in. Almost all of the trojans are self-updating, so the list of sites keeps changing with every installation. Their mothership web sites keep going up and down on a daily basis.
MessageLabs CTO, Mark Sunner, told me that they are intercepting two new specific target attack trojans a week.
If I get the time, I'm going to do a whole whitepaper on them.
What amazes me the most is how little publicity they are getting from CERT or the general press. Because the target threats don't impact 1,000,000 computers in a day, they aren't noteworthy to the general press yet...I guess. The criminals are flying under the radar and skimming potentially millions of dollars.
I'm theorizing that the world's biggest bank heist will happen this year, due to these trojans.
Roger
Posted by Roger Grimes on March 4, 2006 01:06 PM
RATE THIS ARTICLE:
-
- COMMENTS
