The BackSwap Trojan is a dangerous virus that has successfully hijacked hundreds of computers. In our removal guide computer users can learn more about its mechanism of infiltration and operation, as well as the necessary steps to remove active infections from compromised hosts.
|Tipo||Vírus Cavalo de Tróia|
|Pequena descrição||Silenciosamente infecta as máquinas de destino e modifica as principais aplicações e serviços do sistema.|
|Os sintomas||O usuário pode não sentir quaisquer sinais de infiltração.|
|distribuição Método||links maliciosos, arquivos maliciosos, E-mails maliciosos|
|Ferramenta de detecção|| See If Your System Has Been Affected by BackSwap |
Remoção de Malware Ferramenta
|Experiência de usuário||Participe do nosso Fórum to Discuss BackSwap.|
Grobios – How Does It Infect
The initial report of the BackSwap Trojan was reported on May 25th during a targeted attack against online banking services in Poland. According to the reports a large number of customers were impacted, specifically those from the following financial institutions:
- PKO Bank Polski
- Bank Zachodni WBK S.A.,
The hackers behind the threat were able to target transactions that range from 10 000 para 20 000 PLN which equals to amounts between 2680 para 5363 Dólares.
The primary method of distribution is the use of mensagens de email de spam that use advanced social engineering tactics in order to manipulate the victims into interacting with the dangerous elements. The emails are customized to appear as notifications from the banking institutions or other commonly used companies and Internet services. They contain either a hyperlinked instance or the Trojan is directly attached to the messages. The email messages can also serve as the primary means for the distribution of portadores de carga útil infectados. Two popular variants are the following:
- instaladores de software — The hackers choose popular applications that are often installed by end users. Examples include creativity suites, system utilties, ferramentas de escritório e produtividade e jogos de computador mesmo.
- documentos — Using a similar method the targets can infect documents of different types: documentos de texto rico, planilhas e apresentações. Usually this is done by inserting malicious scripts (macros) that when enabled will start the infection.
It is also possible for victims to infect themselves via seqüestradores de navegador — malicious web browser plugins that are usually distributed on the relevant plugin repositories. The hackers utilize fake developer credentials and user reviews in order to manipulate the users into believing that it is a legitimate instance. The most common behavior tactics modify the default settings in order to redirect the users to a hacker-controlled site. Once this is done tracking cookies can be deployed in order to spy on the victims and afterwards the BackSwap Trojan is installed.
The malicious payloads can also be uploaded to locais controlado por hackers that are designed to look like legitimate download portals. Other popular forms include redes de compartilhamento de arquivos tal como BitTorrent. It appears that the threat is being distributed using the Nemucod Downloader which is responsible for dropping the threats. Its signatures are detected with the following identifiers:
Grobios – More Information and Analysis
Once the virus file is deployed to the victim hosts the infection is started. The security analysis shows that the associated malicious engine has a different mechanism of hooking to system and user-installed applications. Isso é feito por simulating user input instead of interacting with the built-in functions. The BackSwap Trojan therefore does not need to have a specific instructions set for the different architectures.
This type of malicious threat is classified as a Trojan bancário and as such interacts primarily with web browsers. Usually the most popular ones are made compatible: Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft borda, Safari e Opera. The malicious engine generates event hooks that similate actual human behavior. It is also loaded with strings that showcase potential online banking activitiy. There are several behavior events that can suggest potential banking activity: opening of bank-specific URLs, browser tabs, favoritos, entering of two-factor authentication credentials and etc.
The security experts note that Mozilla Firefox and Google Chrome include security measures that protect against self-XSS attacks. However due to the fact that that the BackSwap Trojan simulates letter-by-letter keyboard input and copy/paste operations much of these techniques are automatically mitigated.
Whenever an active online banking session is detected the associated virus engine will hijack the transactions and modify the entered values in order to change the recipients. This happens in an automatic manner and the users have no way of controlling it.
AVISO! It is very possible that future versions of the BackSwap Trojan can exhibit new behavior strains and further adding other modules.
Remove Grobios Effectively from Windows
A fim de se livrar completamente dessa Trojan, aconselhamos que você siga as instruções de remoção sob este artigo. Eles são feitos para que eles ajudá-lo a isolar e, em seguida, excluir o BackSwap Trojan quer manualmente ou automaticamente. Se a remoção manual representa dificuldade para você, especialistas sempre aconselho para realizar a remoção automaticamente executando uma malwares anti-scan software específico através do seu PC. Tais objetivos do programa anti-malware para se certificar de que o Grobios está totalmente desaparecido e seu sistema operacional Windows permanece seguro contra quaisquer futuras infecções por malware.