Pharming Infection

[theheyes]

When you initially entered your full password, did you get an error or did it continue and log in to your bank as normal?

 

[francky]

When you initially entered your full password, did you get an error or did it continue and log in to your bank as normal?

It logged into my bank as normal...no errors or anything else untoward.

 

[theheyes]

It's pretty sophisticated then. If indeed you got no certificate errors then it's not quite as straightforward as modifying the page in transit.

I'm curious as to the details of how this particular piece of malware works, because it goes to great lengths to hide itself.

Suffice to say, you really should format as soon as possible. Or at least don't log into anything on that box any more. Your browser could potentially be still configured to trust bad certificates.

 

[francky]

I will be formatting and wont log onto my bank from my PC....will use my ipad instead.

That's what got me....the moment I saw that it asked for my full password I checked the the certificates.....and they were 100% genuine or at least appeared to be.

I also did a traceroute to my bank and nothing seemed amiss.

Very clever.

 

[edscdk]

Get combofix from bleeping computers if it refuses to run its the virus killing it

 

[mattyg]

At least with my bank they can only pay someone who has been previously set up to pay.

Anyone new needs my card and Pin sentry

 

[francky]

Get combofix from bleeping computers if it refuses to run its the virus killing it

I ran Combofix last night and it deleted quite a bit and some registry files.

 

[KIA]

I'd not trust a system that has been previously compromised, but that's me

Indeed. It's time for a format.

 

[Destination]

Personally I would just reformat for piece of mind.

Yes, this, exactly this.

 

[Raumarik]

Personally I would just reformat for piece of mind.

this although I'd also check the network I was plugged into, someone has perhaps done a little ARP poisoning if it's a public or insecure network and they're spoofing that site rather than installing malware directly.

No point formatting if the network you are plugged into is compromised.

 

[demonix]

Some banking trojan is modifying the content of legit pages in real time. I would format.

It's actually called a man in the browser attack (it literally alters actual web pages, and not of just bank log in pages).

http://news.bbc.co.uk/1/hi/programmes/click_online/9694004.stm

 

[theheyes]

No point formatting if the network you are plugged into is compromised.

But the connection to the bank checks out - you can be virtually certain it's a client-side problem i.e. malware on the machine.

 

[KIA]

But the connection to the bank checks out - you can be virtually certain it's a client-side problem i.e. malware on the machine.

Yup. Certificate is fine.

 

[francky]

Well I downloaded Trusteer Rapport today....something most banks provide on their sites to offer you 100% secure connection to your bank and 5 minutes after installing it, it found and deleted loads of Man in the Middle Trojans injected into my browser. Torpig and Shylock Malware...both Man in The Middle viruses.

I would advise any of you to download Trusteer Rapport.....its very good at picking up these MIM attacks....something NO other antivirus program, including the very aggressive Combofix could discover.