Researchers dissect Tatanga malware

Security researchers are beginning to analyse a banking Trojan that made headlines last week.

Known as 'Tatanga', the malware uses key-logging and remote control tools to harvest user log-in credentials.

Two researchers with security firm Trend Micro have been able to infiltrate one of the malware network's command-and-control servers.

Senior threat researchers David Sancho and Kevin Stevens said in a recent report that the malware appears to target banking sites, but also contains other potentially dangerous components.

The researchers noted that the Tatanga malware could also be used by its controllers to collect detailed information on infected machines, and force infected systems to take part in a distributed denial-of-service attack.

The primary function of the malware, however, is banking attacks. The Trend researchers said that, in addition to attempting to pull account data from browser transmissions, the malware attempts to record and upload video of password entry to thwart possible security protections.

Funds from the compromised accounts are automatically sent to accounts controlled by 'money mules' who can presumably then launder the stolen cash.

Researchers explained that the server controlling the malware has been operational since July 2010, indicating that the infection may have been operating undiscovered for some time.

Of particular interest to the researchers was the extremely detailed information the infection collects on users.

"The server keeps track of each client's version and build number, operating system and something called 'malware count', which is presumably the amount of other malware installed," the researchers wrote.

"We don't know who might be detecting them, so it is a puzzling statistic."