Symantec researchers currently tracking a banking Trojan called Trojan Neloweg. According to their research, the threat has been localized to Europe. This Trojan steals login credentials of infected users including banking data.
Neloweg operates similar to notorious banking Trojan Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.
Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server
The browser of Infected system can function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.
Neloweg operates similar to notorious banking Trojan Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.
Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server
 |
| Neloweg infection |
The browser of Infected system can function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.
