SpyEye banking malware learns to cover its tracks

SpyEye banking malware has added a new feature to its arsenal that takes advantage of "paperless" statements by hiding the fact that your bank account has been compromised.
The infamous SpyEye banking Trojan has a new trick up its sleeve: a feature that keeps fraud victims in the dark as it drains their banking accounts. According to PCWorld, by using a technique called HTML injection, banking customers are tricked into divulging account information. Once SpyEye accesses the account, it can now hide fraudulent transfers of money by displaying an inaccurate bank balance. In a blog post, security firm Trusteer explains:

... the malware hides ("replaces") the fraudulent transactions in the "view transactions" page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over', nor that any fraudulent transactions have taken place.

Security News Daily notes that so far the Trojan is targeting victims in the United States and the UK. Of course, paper statements would reveal the thievery, but the push of many banks to go paperless could mean the crime would go undetected for months. Sophos' Naked Security blog offers two simple, but often over-looked, tips to protect against the new and improved SpyEye:

  1. Keep browsers and antivirus software up to date.
  2. Make sure your browser's anti-phishing feature is turned on.

Also see:


and/or security utilities that don't need signatures, and can work in an infected environment. The new reality requires that I and my clients to load the following programs: 1. Trusteer's Rapport - blocks keyloggers and injection attacks that result in session riding. 2. LastPass or Roboform - encrypts all personal information 3. Keyscrambler - blocks all forms of keylogging and video capture 4. Emisoft anti-malware - among other features it will instantly detect anything that is behaving badly (HIPS) and block all spy or other nefarious activity. This new product actually works against attacks. It also works very smoothly with all anti-virus solutions. Winpatrol is free and does the same thing but only has alert capabilities; it will at least let you know if a Zeus variant has injected into the startup folder. 5. Running as standard account and CCleaner - theoretically doing this will erase anything sitting in the temp folders waiting for you to reboot so it can inject into the startup folder. Piriform is constantly updating this simple but effective tool to thwart attacks against the CCleaner execution file itself!! This is the only solution I know to get rid of zombie cookies, otherwise known as 'ever-cookies'. 6. I like Avast because it usually detects ill gotten files before they have been fully formed as a virus signature; I'm not sure it has kept up, but I've never been let down by Avast. In my experience - if Avast doesn't detect it, that is because the virus is lying dormant in the temp files. CCleaner will finish them off. 7. Any product with a host file or IP blocker like Spyware Blaster or Malware-Bytes anti-malware(MBAM) This one can only block bad IP addresses on restricted accounts but has real time protection for the administrator account.(paid version) 8. NoScript for FireFox (of course) 9 Online Armor or Comodo Firewall - both are free but only Comodo has the Defense + HIPS. This host-based intrusion protection system may conflict with other sub-kernel utilities but can be dialed back to prevent conflict, and still provide a modicum of protection. All of these are free except Emisoft, and MBAM. But well worth it if you do online banking and shopping. [b]Using signature based solutions is yesterday[/b], but I still use them for cleanup after the fact.


About 4-5 months ago, I had this happen to me. The interesting thing was that when I went to my bank to dispute some unknown charges I had seen on my online account and the paper statements, they told me that they had been building a case against a group of people who had been responsible for compromising hundreds of accounts. Of course they wouldn't tell me who it was.


You could try a restore point.In the Control Panel select System and Security then in Action Center-- Restore your computer to an earlier time.If you created a restore point you just may be able to rid the virus with a restore.I think that this type of restore is a full computer registry restore.You would do this at the start of every day.This one needs to be done as an experiment first on an off line computer.

Editor's Picks