This means that the vast majority of such malicious programs is designed to attack between one and three banks. The reason for this is that financial malware tends to be highly regional, with specific programs being designed to target specific banks or institutions within a single region. Individual pieces of malware will therefore be designed to attack the most widely used banks within a region such as the USA, Germany, Mexico or the UK. The vast majority of financial malware targets a relatively small number of banks, as the graph below shows. There are probably two reasons why these banks are such popular targets: first, because they have a large number of customers, and secondly, it is relatively easy to obtain credentials to access accounts held with these banks, due to lax security.



Fig. 3 - Percentage of malware attacking top ten banks among all financial malware

In 2007, there was also an upsurge in the number of password stealing Trojans designed to steal all data entered into web forms. These target the most popular browsers i.e. Internet Explorer, Opera and Firefox. Such Trojans can obviously be used to steal credit cards, and using such malware may be enough to breach a bank's defences – it all depends on the sophistication of the security measures employed. Many banks which use single-factor authentication are vulnerable to relatively simple attacks.


Evading detection

The overall trends in infection vectors used by malware are mirrored by financial malware, with the vast majority of malicious programs targeting banks infecting the victim machine or systems via web surfing. While a certain number of such programs are still delivered to the victim via email, there are clear reasons why those attacking financial institutions prefer to use the Internet.

Firstly, malicious programs delivered via email are more likely to attract the attention of antivirus vendors and financial institutions, not to mention the media and end users. Stealth is a key factor in the success of attacks on financial institutions, so conducting a drive-by download using exploits is obviously an attractive method. If the user does not notice anything wrong with his/ her machine, s/he will continue to use it as normal – and in this case, continue to enter confidential data which can then be stolen and used by cyber criminals.

Secondly – and this is a significant factor in terms of evading quick detection by antivirus solutions – malicious programs which infect victim systems via the web are hosted on a web server. This means that the cyber criminals using these programs to conduct attacks can modify the malicious files very easily using automated tools – a method known as server-side polymorphism. In contrast to regular host polymorphism (where the algorithm used to modify the code is contained in the body of the malicious program) it's impossible for antivirus researchers to analyse the algorithm used to modify the malware, as it's located on the remote server. Although it is possible to create generic detection routines for programs which use server-side polymorphism, this takes longer.