back to article New online banking Trojan empties users' wallets, videos privates

Bank account-raiding Trojan Hesperbot has infected computers in UK, Turkey, the Czech Republic and Portugal, The Register has learned. Net security firm Eset said the software nasty is distributed via rather convincing-looking emails, which are dressed up as legit package tracking documents from postal companies or …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    What's the opposite of Hooray!

    1. Crisp

      Re: opposite of Hooray

      Oh bugger!

    2. Ralph B
    3. DJO Silver badge

      Yarooh.

      Thanks Microsoft for hiding the extensions by default which IMHO is one of the most stupid things they have ever done.

      1. Natalie Gritpants
        Facepalm

        A fairly simple fix for this would be for explorer to refuse to run any .exe that has more than one dot in the name. Chances of that happening?

        1. Anonymous Coward
          Anonymous Coward

          Having more than one dot is common practice. For example:

          program-1.0.exe

        2. Tom 35

          The simple fix

          Would be to show file extensions by default.

          Your solution is convoluted and would result in some existing programs failing.

          1. Dan 55 Silver badge
            Windows

            Re: The simple fix

            One or more valid executable extensions (.com, .exe, .scr) preceded by one or more valid extensions on a file saved with website origin metadata should make Explorer refuse to run the file point blank and no 'click yes if you are really sure' should be offered.

        3. AndrueC Silver badge
          Stop

          Chances of that happening?

          That's quite common in .NET land where assemblies and executables can include namespaces. Take a look under '<program files folder>\Reference Assemblies\Microsoft\Framework\.NETFramework\'

          1. Peter2 Silver badge

            Implement a Software Restriction Policy as follows:-

            Default Level : Disallowed

            Rule: Allow C:/Program Files

            Rule: Allow //server/required_executables

            This needs minor modifications for each environment it's used in so the paths allow all programs your business uses (which should all be in program files already, but this needs checking) Failing that, just leave the default as unrestricted and set the temp folders to disallowed.

            Unauthorised executable code ran from email attachments execute in the temp folder, which does not have execute permissions so trojans etc the users may run just generates an error message stating "Sorry, Dave, you can't do that! Contact your System Administrator"

            And that's the end of your virus outbreak, even if your AV doesn't have signatures for it since it's a zero day threat.

          2. Tom 13

            Re: That's quite common

            Regardless of frequency of use, practices which have the ultimate affect of compromising users should be avoided.

            Yes, this one still mostly belongs in the MS court for bad, bad, bad choices on default settings. Given that MS have decided to try to ape Apple's forked file structure using three dot extensions on their file format, they do need to implement something to check the file when it has a double dot. If the OS can always determine whether or not the file is executable, the icon for the file should always default to one that shows the user the file is an executable. Better still, get rid of the thrice-damned obfuscation.

      2. MacGyver

        Clicky, click.

        "Thanks Microsoft for hiding the extensions by default which IMHO is one of the most stupid things they have ever done."

        And show the feeble-minded that those clickable words point to things called "files" and those have things called "extensions", and those mean different things. Consumer's Mind=Would Be Blown. (from Microsoft's point of view) They want users that click on pictures, and enter their creditcard info when prompted, not ones that understand file extensions. (have you seen Windows 8?)

  2. Anonymous Coward
    Anonymous Coward

    Move Along Linux Users

    Nothing to see here except a great big pile up on the A249 and lots of pain for windows users.

    1. mmeier

      Re: Move Along Linux Users

      Well, even criminals have some self-respect so the refuse to target Linux

      1. Roo
        Linux

        Re: Move Along Linux Users

        The years of failure to get rich by cracking Linux would undoubtedly ruin a criminal's self-respect. Long may it continue and if any low self-respect skiddies are reading : give up, go back to Windows where you belong.

        1. mmeier

          Re: Move Along Linux Users

          Actually Trojans like this one work on every OS. They do not use a security hole, they get the user to open the doors and haul them in. But 1.4 percent market share is not worth writing a version, even less so since considerable parts of that share are students and low income groups

          1. Anonymous Coward
            Anonymous Coward

            Re: Move Along Linux Users

            I think allowing an executable to run by merely clicking on a hyperlink IS the fault of the OS and its helper programs.

            Certainly on my systems running OpenSUSE/Firefox it will not run but put a warning message to the effect that the file is a binary and would I Iike to save it. If it is saved the executable bit is not set.

      2. Flocke Kroes Silver badge

        Re: Move Along Linux Users

        I did not see any mention of an app for Windows Mobile, Windows Phone 7 or Windows Phone 8. Perhaps the tiny installed base is too fragmented.

        1. Nunyabiznes

          Re: Move Along Linux Users

          So, the low% and fragmented user base is a valid argument for WinPho but not for *nix? But isn't Android an offshoot of Linux? According to the article Android is targeted.

          Welcome to the breakover point for justifying malware for android, linux, etc.

          1. mmeier

            Re: Move Along Linux Users

            "Core" Android (below the vendor-specific UI stuff) is actually pretty standard and, unlike Linux "Multiple mutant penguins" with a rather stable API/ABI in the "major" versions (2.x, 4.x) A lot easier as a target platform.

      3. Roo
        Devil

        Re: Move Along Linux Users

        I particularly enjoyed this comment from Bruce Schneier:

        "I'm still primarily on Windows, unfortunately. Linux would be safer."

  3. @ValidSoft

    Combating global cyber crooks

    Fraudsters using new and improved Zeus and SpyEye malwares like Hesperbot to infiltrate people’s computers, enabling them to steal their personal details so that they can siphon large amounts of money into their own bank accounts. This isn’t the first time that malware has conquered innocent victims’ computers, but what is more malicious about the new version is that money transfers are automated. Criminals are evolving with technology and targeting cloud-based servers.

    Fraudsters needn’t lurk around the internet and wait for people to log on to their bank accounts anymore (classic Man-in-the-Middle type fraud), instead with the process computerised, criminals can now drain bank accounts more quickly and efficiently making it even more difficult to detect.

    Organised criminal gangs are tactical and ambitious, targeting high net worth individuals and business accounts with large sums of money.

    The real worry is the sheer scale of this global problem that we are dealing with which is now a major a core revenue generator for organised crime.

    Perhaps, what the security industry needs to admit that alongside efforts to prevent fraud, the industry needs to focus increasingly on detection and what it can do is make it very difficult for fraudsters to actually use the stolen data to access bank accounts.

    As I’ve said before, two factor authentication is no longer viable. The industry needs to move towards a multi-layered approach to authentication, using a mix of visible and invisible layers such as voice biometrics. Also, detection needs to work in real-time so that victims and their banks are alerted to attacks immediately and thereby given the chance to prevent it from happening, saving them the inconvenience of being out of pocket and their banks from the costs of fraud investigation.

    1. Charles 9

      Re: Combating global cyber crooks

      The trick will be to make things BOTH secure AND easy to use. You need both because without the latter, people get fed up and go around. Trouble is, the two tend to work against each other, as secrity tends to require some complexity (to combat brute forcing) to be useable. And no matter which angle you take, there are complications (anything internal to the user like biometrics can't be replaced if cloned, and anything external to the user like dongles can be lost or stolen).

      Plus the anonymous nature of the Internet means there's a ponit when Mallory can mimic Alice to the point of gaining trust, stymiing forensic analysis. Some malcontents are patient enough to fall below the noise floor, such that trying to detect them (realtime or not) results in too many false positives, making the system impractical. Then there's the matter of establishing trust in the first place, and there's hints two parties who can't meet face-to-face can't properly establish it without help from a third party (who really can't be trusted), taking the whole e-commerce system back to DTA mode.

  4. Anonymous Coward
    Anonymous Coward

    Outsourcing opportunity

    Do they sell the details to the NSA?

  5. John Crisp

    Neither young nor poor, I'm happily in the minority :-)

    Time to get on with something constructive.

  6. monkeyfish

    Wait? What!

    You mean I shouldn't trust every message that come in to my inbox and click OK to every lttle thing that wants to install itself?! So that's why I can't see the internet for all the lovely toolbars I've got running.

    Move along.

  7. Yeti
    FAIL

    I've seen it

    We got it to our "corporate" address. It was quite cleverly made as it was a ZIP file that contained forgotwhatitwas_pdf.exe and the .exe sported a nice Acrobat(?) pdf icon.

    It didn't quite blend in here as we use Foxit Reader and it has a different icon.

This topic is closed for new posts.

Other stories you might like