SSL Trojan

An SSL Trojan is a money-stealing Trojan that attacks banking sites. It gets its name from the fact that the Trojan waits until the user creates a secure session with the bank being attacked and then activates. In action most such Trojans...

• Autostart and check various registry keys, temporary Internet files, and logs to determine if the user has accounts at the particular bank(s) the Trojan is programmed to attack.
• If found, the Trojan uses the temporary Internet files from the bank(s) to create local copies of those pages which will be used later.
• When the user attempts to log onto one of the banks the Trojan presents the user with the local version of the logon page instead of the bank's logon page. The user enters their data into that local copy which the Trojan then uses to log into the bank itself.
• Since the Trojan basically sits between the user's browser and the Internet it can fully manipulate what the user sees. And, the SSL connection is really to the Trojan’s local Web page and not the bank.
• The stolen credentials are then written to a file which is sent to the Trojan's master. (The file TEMP.DLB is one such file name implicated in this activity.)

This technique also has been referred to as "SSL mixing," "SSL-proxy," and "SSL man-in-the-middle."

More Information