Q
Get started Bring yourself up to speed with our introductory content.

Emotet: How can traffic-sniffing banking malware be thwarted?

A new variety of banking malware can sniff traffic from APIs. Enterprise threats expert Nick Lewis outlines how to mitigate the risk.

I'm concerned about a new breed of banking malware that seems to "sniff" traffic from APIs. How does it work, and...

is it a significant departure from previous banking malware?

Threat Response Engineer Joie Salvio of Trend Micro Inc. wrote a blog post about new banking malware dubbed Emotet that captures data over the network by "sniffing" traffic. This attack method gained popularity with the release of dsniff, where passwords and other data were captured while going over the network unencrypted. Since then, it has been a race to encrypt all data in transport and at rest.

As malware evolves, it will continue to find new places to capture, store or send data.
Nick Lewis

The latest Emotet malware added the step of monitoring data -- or "traffic sniffing" -- before it goes over the network. Other varieties of malware capture data from RAM or from keystrokes; this is an extension of these next techniques.

Emotet needs to first get installed on a victim system by a dropper or other such method. Once installed, the Emotet malware hooks Windows APIs -- just like antimalware tools hook APIs -- to capture data before it goes over the network encrypted. Emotet has functionality to decode the captured data and then store it encrypted in the registry.

As malware evolves, it will continue to find new places to capture, store or send data. Emotet has included many new functions to inject malicious DLLs that monitor traffic onto target networks and store malicious files and collected data in the registry. These features make Emotet more difficult to detect and stop. As new techniques are identified by advanced attackers -- such as storing data in slackspace or alternative data streams -- they are incorporated into modular malware to increase the effectiveness and profitability of the attack for criminals.

To protect against Emotet, enterprises should use the same steps they use to protect endpoints from malware, such as keeping up-to-date patches, not allowing users to run as an administrator, blocking spam, implementing anti-phishing security awareness and using antimalware network appliances to block malicious files from being downloaded. Enterprises should be sure to first verify that the tools used can detect this variety malware and malicious Windows API hooks.

Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)

Next Steps

Learn more about the evolution of banking malware and how it works.

This was last published in February 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How is your organization protecting itself against banking malware like Emotet?
Cancel
It seems like every other day we read about another major hack to banks, retailers and health care facilities. New malware such as Emotet use "sniffing" to gain access to sensitive banking information. To protect ourselves and our consumers, we are making a transition to "hidden information" processing such as Apple's iPay and lobbying to get US credit cards on the chip and pin protocols used in the rest of the world.
Cancel
Bottom line: Do not download information from sources until verified. Copycat emails are always sent. Simple, never open doors until you know who it is.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close