Web access security provider Trusteer has identified a Microsoft Windows malware dubbed “Sunspot” trojan that has been in circulation for a while but only recently developed financial fraud capabilities.
Sunspot infects computers running 32-bit or 64-bit Windows XP, Vista and 7, and infects Internet Explorer and Firefox browsers, which’re the most widely used.
“It’s currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There’re confirmed fraud losses associated with Sunspot, so the threat is real,” Klein wrote.
“Sunspot is able to launch “man-in-the-browser” attacks in which the malware can see what the user is seeing when they’re on a bank Web site. Sunspot can see account balances, request additional information from the user such as password, PINs or answers to secret questions. It can request payment card information and other personal information such as drivers license number, date-of-birth and so on, the latter which can all be used for identity theft. Trusteer says Sunspot can also take screenshots of the open browser as a user is typing in a password or PIN, though only if done on a virtual keyboard such as on a smartphone or tablet computer. This’s similar to SpyEye/ZeuS, but those infections have, so far, seemed to plague mostly European institutions,” informs Klein.
Trusteer traced the trojan to Russia and Klein says this is how it infects your computer:
Once installed, Sunspot is started either by “rundll32.exe” via HKCU\Software\Microsoft\ Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active.