"Keylogger" trojans are hidden programs that collect and store the keys pressed by the user to forward them to a third party. This way, the attacker receives a file containing the information the affected user has written (passwords, messages, etc.).
Many banking institutions have introduced the so-called "virtual keyboard", in an attempt to mitigate the activity of this type of trojans. It is an on-screen graphical representation of a keyboard, that the user can use to enter his data by pressing the virtual keys with his mouse instead of using his traditional keyboard.
Today we will analyze a new banking trojan that is a qualitative step forward in the dangerousness of these specimens and a new turn of the screw in the techniques used to defeat virtual keyboards. The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.
The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when using the virtual keyboard, so that he gets the username and password without going into further trouble.
The key to develop successful policies to counteract malware is to know its techniques in detail. To achieve it we need to go one step beyond the empiric analysis of specimens found in the wild, i.e. the results we get by executing the trojan; we must take one step forward and analyze its code.
In-Depth Analysis (PDF):
http://www.hispasec.com/laboratorio/banking_trojan_capture_video_clip.pdf
In the following URL you will find a video clip/flash that illustrates the performance of the trojan in an infected system and the data sent to the attacker:
http://www.hispasec.com/laboratorio/troyano_video_en.htm
