Trojan horse investigation
We provide forensics services to a number of large financial services companies. One of these firms discovered that a number of their customers had a Trojan horse virus placed on their hard drives. This program was designed to steal the customers’ electronic banking details and send them to an Internet site in a foreign country.
To identify the Trojan horse program and to shut down the site.
• We obtained permission to analyse a number of the affected customer’s computers.
• We identified the Trojan horse program (it was hidden as an innocuous system file).
• We reverse-engineered the program to identify the Internet site to which the customer’s banking details were sent.
• At the same time we analysed the customers’ browsing and email history to identify where the Trojan horse originated.
• We determined that customer details were being sent to an Internet site in Russia. It appeared that the computer in question belonged to an innocent party, but had been hacked by the fraudsters and re-configured to receive the data from the Trojan horse.
• We also identified two websites, one selling tools, the other providing financial advice, which contained code which caused any visitor to the site to be infected with the Trojan horse program. Again, the proprietors of the sites were innocent. Their web-developers had been unwise enough to use programs from a 'code sharing site'. A hidden command had been placed in the code that downloaded the Trojan horse program.
• We located the infected code on two code-sharing sites and had it removed.
• The Internet site in Russia was quickly shut down.
• Both infected websites were advised of their problems.
• The Trojan software was removed from the customers’ computers.
Internet criminals are becoming increasingly sophisticated. This type of fraud, based on contaminated code, is an old one, but as can be seen above, it is still highly effective. Developers should never use software code unless they know for certain the exact purpose of every command within it.
Page Last Updated