Security Experts:

The Evolution of Proxy Trojans

Proxy Trojans and Man-in-the-Browser Attacks Remain a Major Threat to Financial Institutions

(Part VIII in a Series on Cybercrime. Read Part IPart IIPart IIIPart IVPart V)

According to comScore, holiday shoppers spent more than $28 billion online this year. And this is before the final Christmas statistics even rolled in. With this massive amount of money rolling around, it comes as no surprise that the online banking and online retailers are attractive targets to hackers. What are the latest threats?

Proxy Trojans

The evolution of Proxy Trojans

Proxy Trojans are nothing new. They’ve evolved into three categories:

Stage 1: Keyloggers. This is the most primitive form of Proxy Trojan where the Trojan records the victims’ credentials as they log into a certain online application. The Trojan then sends the obtained credentials to command and control (C&C) servers. In fact, last year we saw 10K hotmail accounts captured by such Trojans. This incident reveals some interesting patterns. At first glance, and according to initial reports, it seemed that the credentials were obtained as a result of a phishing campaign. However, the analysis indicated that some username and password combinations were very similar – differing only by a letter or two. These “typos” were letters with close proximity on the keyboard which signify credentials harvested by keyloggers.

Stage 2: Browser-session recorders.

The next step of Proxy Trojan evolution is the malware’s ability to record complete browser sessions. This provides the hacker with the additional knowledge, for example, of PIN codes for debit cards, credit card numbers and answers to security questions. With this information at hand, a hacker can easily impersonate the victim at a later stage by “replaying” a user session. Zeus v2 for instance contains this capability. As uncovered in July, 100,000 UK computers are infected with this Trojan.

Stage 3: Man in the Browser (MitB).

These sophisticated Trojans are able to run in the context of the victim’s browser. This means that this breed of malware may be configured to inject HTML code into the browser’s requests and responses. In effect, the Trojan interacts in real-time with the bank and performs transactions on behalf of the logged-in victim - unknowingly to the user, or to the bank. Consider the following scenario: a MitB Trojan is installed on the victim’s machine. The victim, Bob, requests to transfer money from his checking account to a savings account. However, unbeknownst to Bob, Zeus alters the request to direct the transfer to an account in the Ukraine. When the bank requests verification on the transaction to the certain Ukranian account, once again Zeus interjects and modifies the bank’s response to match Bob’s request. Bob verifies and the bank proceeds to process the perceived genuine transfer request.

MitB in the wild

Most prominent Trojans, such as Zeus, Gozi, URLZone, Sinowal and SpyEye all have MitB capabilities. As one-time passwords and two-factor authentication mechanisms become more common among online banking applications, the credentials obtained by Proxy Trojans will become less effective. Consequently, attackers are starting to improve the autonomous capabilities of MitB code. The recent, and potentially costly, SilentBanker Trojan targeted more than 400 banks and had the ability to intercept banking transactions – even those guarded by two-factor authentication.

2011: MitB grows in sophistication

One 2011 security trend prediction that the security industry should watch out for is MitB. In the upcoming year we will see a few key developments:

• MitB attack sophistication will grow. This is just one more step in the evolution of malware as described above. As the security controls will set up to deal with the most current strain, hacker code developers will evolve their code to bypass these safeguards (see section on mobile, for example)

• MitB Trojans will continue to advance and target other online applications, not only banking applications. We are already aware of PayPal and eBay being targeted according to captured and analyzed configuration files. It’s only a matter of time where these MitB Trojans will target webmail and social networks.

• As these Trojans become more prevalent, we’re bound to see them featured in more browsers. In fact, MitB code which traditionally leeched on to IE browsers, is now starting to appear for other common browsers.

When MitB moves to mobile

It is not surprising then that banks are trying to defeat Trojans installed on unwary customers. One way is to use two-factor authentication, where the mobile provides the additional level of security. Before performing the transaction, the bank sends the user a mobile text (SMS) confirmation. But hackers have already found a way to bypass this new guard - Zeus Mitmo is the latest strain of Zeus targeted at mobile devices.


While avoiding infection by Proxy Trojans is presumably the responsibility of consumers, MitB attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of MitB malware suggests that providers must be able to serve and protect those customers who may be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers- not consumers – to include devices such as ABS, Air Bags and ESP, online service providers will have to invest in mechanisms that allow them to do business with allegedly infected consumers. Helpful techniques include: strong device identification, client profiling, session flow tracking and site-to-client authentication.

Next Column

We are bound to see the growth of MitB Trojan sophistication throughout the upcoming year, including those targeting mobile devices. But mobile devices themselves hold a plethora of security vulnerabilities. As the popularity of these devices soar, we are going to see more threats to these devices. So stay tuned as I talk about what to expect in the upcoming year regarding mobile security.

 Related Reading > 2010 Device Integrity Report: U.S. Unprepared for Internet Device Flood

Read More of Noa's Cybercrime Columns Here

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.