Sunspot Financial Malware Targeting Windows Systems

Friday, May 13, 2011



Researchers at security provider Trusteer are warning of a relatively unknown strain of malware called Sunspot that is showing indications of rapid distribution and elevated infection rates.

Sunspot, which was not originally designed as a financial fraud tool, is capable of infecting administrator accounts in 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and may carry out man-in-the-middle (MitM) exploits, screenshot captures and keylogging, as well as:

  • “Grab” account balance figures, last login date, etc.
  • Request additional online banking details from the user (such as full security PIN/password, Answers to secret questions)
  • Request payment card information (card number, ATM PIN, CVV, expiration date)
  • Request personal information (driver license, mother maiden name, date of birth)
  • Take screenshots of the mouse vicinity as the user types his/her password on a virtual keyboard.

Analysis by the online scanner service Virus Total indicates that only nine of the forty-two antivirus software packages tested were able to detect the Sunspot malware thus far.

“Sunspot is interesting for two reasons. First, it reveals a new approach to financial malware development. Unlike purpose built financial fraud platforms like Zeus, SpyEye, Bugat, and others, it appears Sunspot was not originally developed as crime ware. If this is the case, we could be witnessing a sea change in malware development where general purpose and little know malware platforms are re-programmed to carry out financial fraud. This will make it even more difficult to defend against attacks since banks will be ambushed by a growing number of unique financial malware platforms," said Trusteer's CTO Amit Klein.

The malware is currently targeting financial institutions in North America with losses already having been reported, and the researchers are putting the strain's infection rate on par with other more well known banking exploits such as Zeus and SpyEye.

“Sunspot illustrates an increasing emphasis by crime ware authors on payment card theft. We are seeing more and more malware asking victims for their credit and debit card information together with additional identifiable information. This allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer. We believe that a significant percentage of fraudulent card not present transactions today originate from malware," Klein continued.

The Sunspot Command and Control Servers (C&C) have been traced by Trusteer researchers to a domain registered in Russia.

Possibly Related Articles:
Viruses & Malware
Trojans malware Banking Headlines Financial Man-In-The-Middle keylogger Sunspot
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.