Hackers have been using a Trojan whose sophistication would put professional IT departments to shame, to quietly steal bank account details on hundreds of thousands of computers worldwide.
For weeks, customers of large banks in the United Kingdom, Spain and Germany, have been duped by phishing emails into installing the MetaFisher Trojan, and putting their machines under the control of one of the most sophisticated botnets known so far.
"This is one of those big, under-the-radar threats that we've been concerned about" for some time said Ken Dunham, director of the rapid response team at VerSign's iDefense unit. "There has been a trend away from big-bang attacks to very targeted and sophisticated attacks that take place right under your nose. This is one of them."
According to Dunham, hackers have been sending out hundreds of thousands of e-mails prompting users in those three countries to visit malicious Web sites that use a Windows Metafile (WMF) exploit to download a Trojan program called MetaFisher on a victim's computer.
The Trojan, which is also known as Spy-Agent and PWS, is then used to collect and send bank account and personal information from the compromised system to remote servers where the data is harvested.
What sets MetaFisher apart from the hundreds of other similar Trojan programs is the sophistication of the command-and-control servers used to control it, said Eric Sites, vice president of research and development at Sunbelt Software.
"We have seen many Trojans with Web back-ends that collect data and send a few commands back to the bot," Sites said. In contrast, MetaFisher's management interface reveals a level of sophistication usually found only in professional IT departments, he said.
According to Dunham, MetaFisher uses a PHP-based Web site to track infections by country and to manage variants and scripts. It also includes a query routine to easily filter stolen data and find keylogger and account data for specific keywords, he said.
The command-and-control servers also allow hackers to modify the behavior of the bots based on information gathered from compromised systems, Sites said. For instance, the attack instructions and exploits that get downloaded on a victim's computer might vary based on the operating system.
For the moment, a vast majority of the installed MetaFisher bots are programmed to steal passwords, personal ID numbers and other information from compromised users who visit specific banking Web sites in the UK, Spain and Germany, Dunham and Sites said.
One of the command-and-control servers collecting stolen data is based in Washington, DC, Sites said. Over a four-day period ending today, about 29,000 infected computers reported back to this Web site with stolen data 561,857 times, Sites said.
The Internet service provider that hosts the illegal Web site has so far refused to respond to requests to shut it down, he said.