FITSEC Ltd. released a removal tool for the most famous banking trojans: Zeus, Carberp, SpyEye, Gozi and Patcher. Attackers are able to infect millions of computers around the world because they master very effective methods to deceive the antivirus scanning engines: they use custom crypters and packers for trojans files, also other files code obfuscation techniques. In consequence virus file signatures are changed very often making the traditional antivirus detection based on files signatures to be simply outdated.
The custom executable crypters industry(and market) is at least as big as that of the banking trojans. On malware distribution websites, the attackers change the trojan file signature several times in a day, using different custom crypters and packers, while the antivirus companies have a rather slow response time on these new unknown threats and anyway using the files signatures databases is a lost battle from the beginning.
The normal execution flow of a trojan virus is as follows:
- A crypted(packed) file with an unknown signature is executed without raising suspicions.
- The trojan which is embedded in this file is decrypted(unpacked) and executed in RAM memory in its decrypted form.
- The trojan injects itself in a legitimate Windows process, any requests(such as Internet access) from now on appearing as made by this legitimate process, being it the default browser, explorer.exe, services.exe or svchost.exe
FITSEC banking trojans removal tools is able to scan the memory space of every running process looking for banking trojans pieces of code.
Though this tool is still in an experimental stage it’s a good idea to use it “just in case”. We will watch the evolution of this very promising tool trying to keep you updated with the latest features.
It can be downloaded from here.
Keep safe !