Introduction
F5 Labs attack series education articles help you understand common attacks, how they work, and how to defend against them.
What is a Trojan?
A trojan is any type of malicious program disguised as a legitimate one. Often, they are designed to steal sensitive information (login credentials, account numbers, financial information, credit card information, and the like) from users.
Trojan malware takes its name from the classic Trojan horse ploy from the war between the Greeks and the independent city of Troy. The ancient Greeks were able to defeat the city of Troy by hiding soldiers inside a giant wooden horse they left behind as a gift while they feigned retreat following a 10-year war. Little did the Trojans realize that by taking the horse as a trophy of war, they were bringing an elite Greek fighting force right inside the walls of their city, ultimately leading to the fall of Troy. A malicious gift thus became known as a Trojan Horse.
A banking trojan operates in much the same way—disguising itself as something good or beneficial to users, but having a far more sinister, hidden purpose. Even a mobile app that appears to serve a genuine purpose (for example, a game, flashlight, or messaging service) can secretly be a trojan looking to steal information. Trojans evade detection by having dormant capabilities, hiding components in other files, forming part of a rootkit, or using heavy obfuscation.
Every individual family of malware has its own “signature moves,” and with each iteration, malicious actors grow more sophisticated. Banking trojans are a specific kind of trojan malware. Once installed onto a client machine, banking trojans use a variety of techniques to create botnets, steal credentials, inject malicious code into browsers, or steal money.
How Banking Trojans Began
It took almost 20 years for banking customers to get comfortable with the idea of online banking, which began in the 1980s. With the majority of banks offering online banking by the year 2000, it wasn’t long before attackers found ways to exploit this new attack surface using banking malware. Banks were quick to realize that they were attractive targets to attackers, and they responded by hardening their systems. In turn, cybercriminals soon realized that it was difficult to attack the institutions themselves, so they pivoted, targeting customers instead. Stealing customer credentials was a more feasible avenue of attack, and out of this the first banking trojans were created. Banking trojans targeted users primarily through spam, phishing, advertising, drive-by-downloads, or social engineering. They can falsely advertise themselves as attachments or games.
Since then, the scope, technical ability, and focus of the malware authors has changed. What first started as malware that primarily targeted customers of financial institutions evolved to target a range of industries, including online advertisers, digital analytics firms, financial tech companies, social media sites, and communication platforms. Today, banking trojans are pervasive across the Internet, and all sorts of institutions—not just financial institutions—need to be aware of how to protect themselves and their customers.
Speaking the Language
Before we look at specific banking trojans, there’s a bit of malware jargon that helps make these descriptions easier to understand:
- Malware family. A collection of malware that’s produced from the same code base.
- Variant. Malware that’s built from an existing code base, but with a new signature that is not included in the list of known bad signatures used by anti-virus and anti-malware solutions.
- Strain. Another name for a malware variant.
- Malware version. Another name for a malware variant.
- Descendant. Similar to a variant, descendant refers to malware that’s based on an existing code base and integrates different tools or techniques.
- Campaign. A series of operations undertaken by malware authors intended to infect a specific set of targets.
- Rootkit. Code that targets the lowest level functions of an operating system. It is often used by malware to hide, both from users and from the operating system itself.
- Bootkit. Code that targets the operating system when it starts up. It often runs automatically when the system starts.
- Dropper. Usually used at the first stage in a malware infection, droppers are designed to install some other kind of malware onto a target system.
- Sample. A single example of a malware variant that is studied by engineers to determine characteristics of the malware variant.