New Bugat Malware Aimed at Banking Websites to Steal Customer Data

By Justin Gattuso
Posted on Mar 6, 2010

Security researchers have recently discovered a new black market malware application specifically targeting banking websites that offer ACH and wire transfer services. Similar to its popular counterparts Zeus and Clampi, Bugat works by harvesting logon, RBA and PIN credentials from infected users' machines, among other things. Most bank and credit union websites have few defenses against this type of malware application, but the latest versions of MemberProtect can help to render Trojan horse applications like Bugat ineffective.

Bugat and its cousins work best on banking sites that use traditional static credentials, such as usernames, passwords, challenge questions and PIN values whose values do not change after every use and require keyboard input. If a user's computer is infected, then Bugat can capture the user's keyboard entries, including username, password, challenge question answers and PIN values. Since most systems only require users to change these values every 30 days, the hacker is able to use these values to perform transactions until the breach is discovered, possibly up to 30 days from the date of acquisition.

One method that we use to counter these types of attacks is to use secondary transaction authorization codes, such as PIN values, that change after every use. MemberProtect also supports transaction validation methods that do not rely on keyboard input and do not collect information in a way that is easy for malware applications to capture and re-use.

Currently Bugat is only targeted a dozen or so banking sites, but experts believe that the authors are currently testing the application to determine its effectiveness in the field. If it continues to show promise, expect its popularity amongst hackers to grow.