Tool Release: A Banking Trojan Detection Tool
15, Aug, 2011
As many of our readers know, banking trojans have become extremely widespread over the course of last few years. There are hundreds of thousands, if not millions, of computers on the internet that are infected by these malicious programs.
We created an experimental tool that can detect almost all variants from the TOP 5 of banking trojan families: Zeus, SpyEye, Carberp, Gozi and Patcher, if they are active and running on the infected computer. The tool works by scanning the memory of each running process, looking for telltale signs of these malwares. If any signs are detected, the tool will report the malware name and the affected process name.
The advantage of the tool is that it doesn’t use a conventional signature database, where a detection can be usually avoided by re-packing the malware with a new obfuscation layer. Instead it looks for pieces of code that belong to the actual malware itself.
We’d love to hear any improvement suggestions and comments, feel free to contact us at info(at)fitsec.com
The tool can be downloaded here: hxxp://wxw.fitsec.com/tools/DeBank.exe
By downloading and/or using the tool you agree to the license terms that are described here: hxxp://wxw.fitsec.com/tools/license.txt
From what we have established so far in this thread now we can safely say that the earlier detections were just heuristical flags because of the packers used, e.g. Packers (Drweb): PESTUB, VMPROTECT. So the tool should be OK. VT community verdict is - goodware -. Still in experimental stage, this free tool can be used occasionally when one has certain suspicion about a banking trojan infection and wants to to scan the memory space of every running process looking for banking trojans’ pieces of code. Another free tool to add to the toolchest of the qualified malware removers, like we have here on our forum, like: essexboy, oldman, argus, etc.