Stealing Your Money - Sphinx Banking Trojan

Jordan Kadlec

Egyptian-Sphinx-StatueA new banking Trojan called Sphinx has surfaced in the criminal underground. Sphinx is said to be based on the source code of the notorious Zeus banking malware. Zeus, also known as Zbot, is a malware toolkit that allows a cybercriminal to build his or her own Trojan Horse. On the Internet, a Trojan Horse is programming that appears to be legitimate but actually hides an attack. Zeus, which is sold on the black market, allows non-programmers to purchase the technology they need to carry out cybercrimes. Once a Zeus Trojan infects a machine, it remains dormant until the end user visits a website with a form to fill out. One of the toolkit's most powerful features is that it allows criminals to add fields to forms at the browser level. This means that instead of directing the end user to a counterfeit website, the user would see the legitimate website but might be asked to fill in an additional blank with specific information for "security reasons."

sphinx banking trojan

What sets Sphinx apart from other online banking Trojans is that it has the ability to avoid detection by being immune from sinkholing, blacklisting, and even the Zeus tracking tool.

Sinkholing

Sinkholing is the redirection of traffic from its original destination to one specified by the sinkhole owners. The altered destination is known as a sinkhole. Sinkholes can be used for good or ill intent. Most commonly, sinkholes are used to redirect zombies in a botnet to specified research machines to capture data about them.

Blacklisting

Blacklisting is exactly how it sounds. In Internet terminology, it's a generic name for a list of e-mail addresses or IP addresses that are originating with known spammers. Individuals and enterprises can use blacklists to filter out unwanted e-mails, as most e-mail applications today have filtering capabilities.

Sphinx 

Sphinx was initially sold at $500 with features that include form grabbing, web injects for Internet Explorer, Mozilla Firefox and the Tor browser, a keylogger, as well as an FTP (File Transfer Protocol) and POP3 (a protocol for receiving e-mail by downloading it to your computer from a mailbox on the server of an Internet service provider) grabber. Developers note that Sphinx is designed to operate on computers running Windows Vista and Windows 7; even on those with the User Account Control (UAC) setting enabled. This means that Sphinx can work even on user accounts with low privileges.

Much like Zeus, Sphinx is capable of creating phishing pages that can trick users into providing sensitive banking credentials. Webinjects are used to rectify contents of a website that allows an attacker to steal credit-card and other information. Webfakes are used to carry out phishing attacks without tricking the victim into going to a malicious URL.

According to the developers, once the criminal has everything they need to access your banking information, Sphinx's Backconnect Virtual Network Computing lets them transfer money straight from the contaminated PC.

As the mentioned capabilities have garnered attention from users in the underground forum, the price of Sphinx has doubled to $1,000.

Share this: