Jean-Ian Boutin ESET
download slides (PDF)
Seldom do we see a new banking trojan with the size and complexity of Win32/SpyEye appearing. This happened last year with the discovery of Win32/Gataka: a banking trojan that is able to inject content in HTML pages and which exhibits a modular architecture that is easily extensible with plug-ins. Once installed on a computer, Win32/Gataka can be used by botnet operators to steal personal information. As of now, it has been used to steal banking credentials in various countries including Germany, the Netherlands and Australia.
This presentation documents the discovery of this banking trojan along with its internal design and its similarities with another well-known banking trojan: Win32/SpyEye. Among other things, both share the same webinject configuration file syntax. This is a good example of malware writer specialization: webinject files targeting specific institutions are interoperable between different malware platforms. We will also discuss advanced webinject configuration files and how scripts contained in these files can be used to automatically steal personal information and/or attempt fraudulent bank transfers. Finally, we will go over some of the campaigns we have tracked in the past year and show how this new strain of malware is targeting national institutions and how it is evading different two-factor authentication processes.