Beware Trojan.Stabuniq, a new malware targeting American banks

Add “Trojan.Stabuniq” to your list of strange malware and other viruses to watch for. What makes this malware something to take notice of isn’t necessarily the scale of its reach or what it does to your home systems, but who and what it seems to be targeting. After all, isn’t there something to be nervous about when more than a third of the malware’s targets happen to be financial institutions?

Trojan.Stabuniq was discovered at the start of this year by Symantec, according to a blog post written by the company’s Fred Gutierrez. As he explains, Stabuniq hasn’t actually been detected on many systems since its discovery almost a year ago, and those that it has been found on have been localized to the United States (most are in North East while some made it as far west as Arizona, Idaho and Montana). However, what is more unusual about the spread of Stabuniq is the breakdown of its targets. “Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users,” Gutierrez wrote. Additionally, 11 percent “belonged to companies that deal with Internet security,” something that he puts down to those companies intentionally infecting machines in order to try and understand the nature of the malware. “A staggering 39 percent, however, belong to financial institutions,” he went on. “These financial institutions had their outer perimeter breached as the Trojan has been found on mail servers, firewalls, proxy servers, and gateways.”

Stabuniq reportedly relies upon spam email to transfer onto machines, with the offending emails containing links to a server hosting a Web exploit toolkit that downloads and installs the malware once activated. According to Symantec’s technical details for the malware, it has only affected systems running Windows 2000, Windows NT, and Windows XP, and is likely to disguise itself within another application folder as it collects the following information from the computer:

  • Architecture type
  • Computer name
  • File name of the threat
  • IP address
  • Operating system version
  • Operating system service pack version, if installed
  • Running processes

This information is then broadcast to one of at least eight different servers in remote locations.

According to Gutierrez, the malware itself is relatively benign and easily removed when discovered (In the recommendations section of its technical details about the malware, the company essentially recommends “basic security best practices” to deal with the threat). But while that’s true, what is more disturbing is the seeming ease with which the malware – that, collects, and transmits information from the contaminated computers – made it onto systems belonging to banking firms and credit unions. Should we be concerned about a wave of mass identity theft and credit fraud hitting in 2013?

Get our Top Stories delivered to your inbox: