In an interview given to the Brazilian press, F-Secure’s Mikko Hyppönen said that it isn’t safe to access your bank through the Internet in Brazil. He suggested some solutions, such as using a virtual machine solely for online banking activities.
I agree with Hyppönen that using a virtual machine might be good idea, but for a different reason than his.
Brazilian banks have been forcing users to install “protection” software. I can’t find any information regarding how exactly they work in order to protect the users, or if they work at all. In my experience, these softwares have never prevented a trojan to be installed. They sometimes prevent users of non-Windows computers - which can’t install such software - from accessing the online bank, though. (An irony, given how the protection is currently only needed for Windows computers; Hyppönen says in the Interview that even phone banking is safer.)
The main offender is a program called G-Buster Browser Defense, also called GBIEH, by GAS Tecnologia
As an administrator of a technology-related forum, I cay say that many users complain about the side-effects of G-Buster. It just can’t be easily uninstalled (no entry in Add/Remove Programs or official documentation regarding its removal). It has ended up in antivirus and anti-spyware definition lists multiple time due to its persistent behavior: it comes back if you try to simply delete it; it hooks up into processes and polls registry keys, slowing the system down; it starts up as a Winlogon Notify DLL and as a Service, and both restore each other. A user told me a few days ago he needed to know how to remove it because his machines all became slow after its installation.
I find removing such “protection” software a harder task than removing the trojans themselves. It pretty much seems like a trojan horse to me. And it seems like a trojan to the trojan makers as well: the newest Banker trojans are including the UnHackMe anti-rootkit software and a definition list that forces it to delete G-Buster.
It is interesting how a tool that was supposed to be used to remove trojan horses ends up being used by trojan horses to remove protection software. (Though we have seen security tools being used by trojans, such as when a spambot installed a hacked copy of Dr. Web, but in Dr. Web’s case the target were competing bots, not the protection software itself.) Previously, trojans have tried SYSTEM-privileged Task Scheduler jobs and DEL commands in Autoexec.bat in order to remove GBIEH, but updates made removing it harder and harder. Back when it was first released, deleting it with IE closed was enough to make it go away.
Since every online banking user needs to “infect” himself with such software, I do recommend a virtual machine to be used, or else you might have something that even the trojans themselves are having issues to get rid of.
Here you can find an analysis of G-Buster and instructions on how to get rid of it, though it’s outdated (April 2007) and I know — through the tracking of trojans that attempt to remove it — that the software has been getting constant updates to make its removal harder.
[Update 2008-03-05] Symantec included the installation of UnHackMe in one of their descriptions, causing problems to the anti-rootkit developers. I think I should make it clear here that I don’t think UnHackMe has any sort of blame. It’s a legitimate tool. If we are going to outlaw and/or flag as malicious anything that can possibly be used for bad things I think we should start by outlawing hammers, deleting every internet browser — since they can render phishing pages, which systems without browsers can’t –, and ban the Windows API, which has dangerous commands that allow registry editing and file removal.