no one is safe ...

Banking Malware 101 - Overview of Current Keylogger Threats

Banking Trojans

  • Nethell/Limbo (Browser Helper Object - BHO)
    - can register to several browser events, drops several files to %Windir%\system32, varying name (z.B. gcomd32.dll), analyze with OllyDbg, also steals cookies
  • ZeuS/Wsnpoem/Zbot
    - creates %Windir%\system32\wsnpoem (version 1)), files: ntos.exe, oembios.exe or twext.exe, drops other files (, video.dll) incects itself into various processes, features: form grabber, inject arbitrary HTML code, stealing certificates, more infos in the paper from Frank Boldewin
  • other Trojans: Torpig, Sinowal, Mebroot, Banker, Bancos, SilentBanker, ChromeInject (Firefox Plugin)

Dropzone hunting

  • Colecting Samples - Client side honeypots: automatically surf websites, monitor system and watch for drive by downloads, capture-HPC, HoneyClient, phoeyd
  • Spam traps, watch for attachments and look for links and follow them
  • User Simulation
    Not all samples immediately access the dropzone - we emulata behavior of a user with AutoIt

Analyse the malware sample


  • analyzed 2000+ banking trojans
  • found 140+ nethell dropzones
  • found 200+ ZeuS dropzones
  • ...