For years now, malware has attempted to evade detection by security software using many different methods. Functions such as ending processes and services and deleting files and registry keys related to security products are commonly included in many of today’s malware. We recently noticed a simple, but interesting, trick used in an attempt to prevent the installation of a security product.
A group of scammers, using a certain set of variants of Trojan.Snifula customized to target Japanese online banks and credit card companies, is now attempting to figure out ways to avoid detection from a security product local to Japan. A recent configuration file used by this variant includes JavaScript that attempts to stop a specific image file from appearing on a particular Web page when the user’s browser loads the content. This image file is a banner appearing on the top page of a major Japanese bank. The banner advises people to use PhishWall, a Japanese security product, in order to safely perform online transactions.
Figure 1. Banner in the form a GIF image file
As discussed in a previous blog, this group of cybercriminals has gradually increased its target of Japanese financial institutions throughout the year to include not only major banks, but also smaller regional institutions. It appears that this group is interested in achieving more success in the region and is avidly studying way in which they can avoid users being alerted to potential scams. Their attempt to hide the banner on the website may only be the start of things to come. The malware may potentially develop into a form that attempts to actually disable the security product. However, only time will tell if that will ever happen.
Cybercriminals being conscious about security software is nothing new. Specific threats that are designed specifically to terminate or remove security products, such as Trojan.KillAV, have existed for over a decade. It will be interesting to see how this particular new development plays out, but it should serve as a warning to online banking customers, financial institutions, and security vendors as to what future attacks may transform into. Trojan.Snifula is not going away any time soon, so all parties need be prepared to combat new waves of attacks.
Protection Symantec Security Response is closely monitoring Snifula and provides appropriate protection against this threat. We will continue to update our coverage as we see new Snifula variants. Users should keep AV and IPS definitions up to date and avoid opening suspicious email attachments or links to prevent infection.
The following detections are Symantec’s current protections against Snifula.
AV
IPS