Forget phish, start fumigating for RATs

Bob Sullivan Technology correspondent • Profile • E-mail

Forget phish. It's rats that are about to cause the most trouble for Internet users.

Clever computer criminals have recently become much more sophisticated in their attacks against online banks, experts say. The Internet is now awash in programs called "remote access Trojans," or RATs, that feed on online banking passwords.

Trojan horse programs have traditionally sneaked their way onto computers by posing as desirable free software, such as electronic greeting cards or file-sharing programs. The malicious programs are hidden, and like the Greek soldiers hidden in the famous wooden horse, jump out to attack once they're safely inside. But others are pushed onto computers without any interaction at all, through various software vulnerabilities. In that case, consumers would likely have no way of knowing their machine has been subdued.

These new remote-access Trojans are designed specifically to lurk in the background, waiting until the unsuspecting user types the name of a well-known bank into a Web browser. Then, the program springs into action, copying every keystroke. The data is sent back to the criminal, who now can raid the online bank.

"This is the new thing," said Dan Clements of CardCops.com, a site that monitors online fraud.  His researchers recently gained access to an e-mail account that was set up to receive data from RAT-infested computers. The account held over 3,000 transmissions, he said.

One of the e-mails contained about 300 logins for Bank of America's Web site. 

"I get more and more of these every day," he said. "(Researchers) send it to me and say, 'Why isn't anybody doing anything?' "

Bank of America's Betty Riess said she couldn't comment on the specific case, but said the bank is currently rolling out new security features designed to limit the effectiveness of Trojan horses.

Control panel which can used by a criminal controlling a computer with a RAT program. Drop-down menus make it easy to use.

Generally, banks are loath to discuss fraud, so there is precious little hard data about its extent.  But the Antiphishing Working Group, a consortium set up by financial firms and security companies, has noticed a dramatic uptick in RAT programs, says spokesman Dave Jevans.

Last month, the agency detected 170 distinct Trojan programs used to steal bank data.  In January, there were only about 30, he said.

"It's quite a big change," he said.  "(Banks) are having a hard time dealing with it, frankly."

Sneak attacks
These specialized forms of spyware, now being called by other names like crimeware, ratware, and even bankware, worm their way onto victims' computers in a number of ways. Some are inserted completely in silence, through an unpublished or unpatched software vulnerability. Others are hidden in Web sites on the Internet's darker side, such as pornography sites. Still others come in e-mail, disguised as electronic greeting cards.

NBC VIDEO Online rats Nov. 3: Consumers who worried about phish now must worry about rats -- remote online Trojans. MSNBC

But unlike familiar computer worms, these malicious programs do nothing to announce their presence — like send out copies of themselves to everyone in the victim's address book.  Instead, they lie in wait for the user to visit a banking Web site.

Security companies agree that such Trojans are popping up everywhere.  Richard Stiennon spokesman for anti-spyware maker Webroot, said his firm's research indicates that 1 in 10 Internet-connected computers has a Trojan horse installed on it. While many of those infected computers are still protected by firewalls that prevent data from being sent outside the system, others are at immediate risk, Stiennon said.

"Of all the threats we track, only one is increasing its presence in the enterprise: Trojan horses," he said. "For harvesting (personal) information it's more successful than phishing attacks."

Avivah Litan, an online banking security consultant at Gartner Inc., says banks are starting to feel the effects of the silent programs, even though there has been little public discussion about them. The very stealth nature of the programs has kept publicity about the trend at a minimum.

"No one has to talk about this because no one sees it," she said. "But I've definitely heard about it from major clients. ... They can tell from their consumers' calls to call centers."

MORE FROM SECURITY

Security Section Front

Debate over possible responses to cyber attacks   Experts work to untangle cyber attacks S. Korean Web sites under renewed attack White House among targets of cyber attack U.S. eyes N. Korea for ‘massive’ cyber attacks How a denial-of-service attack works A look at Estonia’s cyber attack in 2007 Researchers say they can guess your SSN Chinese go online to vent ire at Xinjiang unrest Dell launches digital forensics service for police Security Section Front   Add Security headlines to your news reader: