In an earlier post, I wrote about how the BankerFix, a generic Banker removal tool came to be, and said that the current “Banker” problem is much bigger than it was in 2006. So, how big is it?
Linha Defensiva collects infection information based on HijackThis logs. I’m aware that this is not very accurate, as we cannot really be sure of which infections are on a user’s computer. But since we have to help the user remove said infections, we can have an idea on what type of infection he has. We don’t care what Backdoor it is, we care if it’s a Backdoor. We don’t care of it’s SdBot, Agobot or Rbot — but we do care of it’s a bot. And that’s how we group infections.
These are top-3 infections according to the statistics we’ve collected in July:
| Infection Name | Infections (%)* |
|---|---|
| Banker | 55,3% |
| Vundo | 6,6% |
| Bots | 5,6% |
* Data based on over 1100 infections and 650 infected systems from Brazil.
It’s the first time Bots have fallen to third place. Before Bankers took the top, they used to be there. Then they were in 2nd place since then, and this month they lost it to Vundo. The difference is small, though, so it’s possible they’ll be back in 2nd next month.
But what really interests us is the first place. Even though BankerFix has so many downloads, Bankers still manage to stay at the top. This is their 2nd highest number, although they have been floating in the 45-50% range for a while. Last month, they were over 60%.
And that’s how big the problem is. When those statistics first started to be collected (October 2005), Bankers wouldn’t even show up. Through 2006, the number of infections started to grow, until they took the first place.
Last time I checked, no anti-virus company top-ten list agreed with us. However, reality agrees. If you actually walk around in Brazil and check people’s PCs, you’ll see they have a Banker infection they probably don’t even know about. Most of the time, these infections are silent. People only notice them because of bugs in the code (such as the often cited socket error message or a “getwindowinfo” Internet Explorer window).
Because they are so simple, malicious messages almost seem generic among the sea of Orkut scraps or MSN IM windows. When spreading through e-mail, social engineering is always employed, sometimes in a very smart and indirect way. And because the attacks are in Portuguese and targeted at Brazilian users, it’s no surprise that they are the most common infection around here.
Here’s an YouTube video showing a Banker spreading through MSN and exploiting an IE flaw. (Gaim and MSN Messenger have each other, so when the infected Messenger sends the message, Gaim receives it.) It also shows the fake browser the Banker trojan installs in order to steal accounts, as well as BankerFix removing the infection.