In previous posts Banking Trojans I and Banking Trojans II we did an overview of the main banker trojan families and their simple characteristics (files and registry entries). Let's dig a little deeper now and take a look at their infection and hiding techniques.
Banbra (Dadobra, Nabload)
* Static process
* Process injected into other process
* Encrypted / packed file
Bancos
* Static process
* Process injected into other process
* Encrypted / packed file
Bankdiv (Banker.BWB)
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
* Substitution of Operating System files
Bankolimb (NetHell, Limbo)
* Static process
* Process injected into other process
* Encrypted / packed file
Banpatch
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
Briz
* Static process
* Process injected into other process
* Encrypted / packed file
Cimuz (Bzud, Metafisher, Abwiz, Agent DQ)
* Static process
* Process injected into other process
* Encrypted / packed file
Dumador (Dumarin, Dumaru)
* Static process
* Process injected into other process
* Encrypted / packed file
Goldun (Haxdoor, Nuclear grabber)
* Static process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
Nuklus (Apophis)
* Static process
* Process injected into other process
* Encrypted / packed file
PowerGrabber
* Static process
* Process injected into other process
* Encrypted / packed file
SilentBanker
* Static process
* Process injected into other process
* Encrypted / packed file
Sinowal (Wsnpoem, Anserin)
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Polymorphic file
* Encrypted / packed file
* File hidden by rootkit
Snatch (Gozi)
* Static process
* Process injected into other process
* Encrypted / packed file
Spyforms
* Static process
* Process injected into other process
* Encrypted / packed file
Torpig (Xorpix, Mebroot)
* Static process
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
* MBR rootkit