Many modern computer criminals will not go to the trouble of “hacking” their way into a victim’s computer. Instead they will trick the victim into accepting a “Trojan horse” program that will give them access with little effort. Investigating cases like these needs discretion, patience and experience.
The problem
Our specialists were working for a large banking client. A number of this client’s customers were permitted access to their online bank accounts over secure internet connections. However, some customers began to claim that their systems had been compromised, and that transactions had been carried out on their client accounts without their authorisation. If their internet connections were secure, how could this be happening?
The solution
We obtained the permission of three of the affected customers to take forensic copies of their computers to see if there was anything on them that might have caused the security breach. We quickly found that all three were infected with a type of eavesdropping virus program called a “Trojan horse”. When we reverse-engineered the virus we found it was designed to collect its victims’ security certificates and other credentials. It then e-mailed them to an internet address in the Ukraine. The unauthorised transactions had been carried out on the customer’s accounts using their stolen credentials.
We quickly had the internet address shut down by its owner (an unsuspecting internet service provider). This prevented further losses to customers infected with the Trojan, but the question still persisted, where did the virus come from originally?
We found out that the virus developers had placed computer code on a number of internet “code sharing” sites. These are sites where developers place useful code they have developed for the free use of others. The virus developers had written some software which greatly improved the efficiency of e-commerce site’s checkout functions, and they had placed this on a number of different code sharing sites. In this software, however, they had embedded a hidden routine which secretly redirected the computer of any visitor to any site using shared code to another site (in Russia) where it would, without the user’s knowledge, download the Trojan virus. The owners of the sites where this malicious software was planted were completely innocent, and had no idea that their websites were being used in such a way.
We approached the code sharing sites and had them remove the malicious code. We also used internet forensic techniques to find a number of sites where the malicious software had already been placed. We advised these sites how they could remove the malicious code without disabling their websites.
Please click here to download our guide to dealing with virus and Trojan horse infections.