This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Trojan horse investigation

Computer Forensics

Background:
We provide forensics services to a number of large financial services companies. One of these firms discovered that a number of their customers had a Trojan horse virus placed on their hard drives. This program was designed to steal the customers’ electronic banking details and send them to an Internet site in a foreign country.

Concern:
To identify the Trojan horse program and to shut down the site.

Deloitte’s Actions:
• We obtained permission to analyse a number of the affected customer’s computers.
• We identified the Trojan horse program (it was hidden as an innocuous system file).
• We reverse-engineered the program to identify the Internet site to which the customer’s banking details were sent.
• At the same time we analysed the customers’ browsing and email history to identify where the Trojan horse originated.

Deloitte’s Findings:
• We determined that customer details were being sent to an Internet site in Russia. It appeared that the computer in question belonged to an innocent party, but had been hacked by the fraudsters and re-configured to receive the data from the Trojan horse.  
• We also identified two websites, one selling tools, the other providing financial advice, which contained code which caused any visitor to the site to be infected with the Trojan horse program. Again, the proprietors of the sites were innocent. Their web-developers had been unwise enough to use programs from a 'code sharing site'. A hidden command had been placed in the code that downloaded the Trojan horse program.
• We located the infected code on two code-sharing sites and had it removed.

Results:
• The Internet site in Russia was quickly shut down.
• Both infected websites were advised of their problems.
• The Trojan software was removed from the customers’ computers.

Comments:
Internet criminals are becoming increasingly sophisticated. This type of fraud, based on contaminated code, is an old one, but as can be seen above, it is still highly effective. Developers should never use software code unless they know for certain the exact purpose of every command within it.

Page Last Updated

Material on this website is © 2013 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Get connected
Share your comments
More on Deloitte
Learn about our site