Trojan horse malware that provides its owners with credit card numbers, bank details, and other personal information has been discovered targeting Australian Internet Explorer users.
The Trojan was exposed last month by US-based anti-exploit development firm, Exploit Prevention Labs (XPL). However, according to Australian-born Roger Thompson, the company's Chief Technical Officer, it has been known among the whitehat community since April this year.
Victims receive what appears to be a Yahoo Greetings eCard, which directs Web browsers to an authentic eCard via an exploit server. If the exploit server detects browser vulnerabilities, it force-downloads post-logging software onto the user's computer.
This process happens so quickly that it is virtually unnoticeable, Thompson said, adding that some versions of the Trojan also force-download a rootkit which makes it invisible to Internet Explorer's add-on manager.
"It's very, very hard to tell if you've been infected," he said. "If your antivirus program can see it, that's fine. But if it doesn't, then you won't know it's there."
Although it is impossible to determine the exact number of affected users, Thompson expects there to be thousands of Australian computers at risk. XPL researchers have confirmed that accounts at nearly every Australian bank were affected.
The Trojan was found to have been exploiting the Internet Explorer MDAC vulnerability through the Russian-developed WebAttacker script, which XPL has found to be the most prevalent Internet-borne exploit generator. While a patch for the MDAC vulnerability was released by Microsoft in April, Thompson said, many Internet Explorer users remain susceptible because not all users apply patches.
"A lot of work computers don't get patched, because when you patch, a lot of other things can get broken," he said. "A lot of companies don't like patching because of this, and because they think they are safe behind a firewall."
"But browsers are authorized to get past firewalls; that's how they access the Internet," he explained. "And once you're authorized, consumer firewalls don't have enough resolution to distinguish between evil Web sites and clean Web sites."