Delf.EP Trojan steals online banking passwords .

March 25, 2011

The Sonicwall UTM research team received reports of a new online banking Trojan in the wild. The Trojan's sole purpose is to steal security credentials used to manage various online banking accounts. The Trojan targets sites such as paypal, mastercard and citibank. The Trojan is targeted exclusively at brazilian users but can also affect users from other countries.

The Trojan's activity once it has compromised a machine is quite simple. It makes only a single modification to the file system once it has run.

The Trojan makes the following POST and GET requests to a remote webserver:

The Trojan downloads a hosts.txt from the remote webserver and places it at:

  • C:WINDOWSsystem32driversetchosts

The hosts file contains the following data:

This hosts file causes all of the above sites to point to the IP address of a malicious web server ( The malicious web server hosts a copy of pages at each of the original sites listed above. It should be noted that none of the redirected sites use the HTTPS protocol for secure communication.

The screenshot below shows a non-https brazilian copy of hosted on the malicious webserver:

Upon entering the username and password the following messagebox is displayed:

The screenshot below shows the default malicious page loaded for This page requests credit card information in order to obtain certain benefits:

Upon submitting the requested information the following page is displayed:


      Congratulations, your MasterCard was successfully registered in our database!
      Now you compete for prizes every month up to $ 500,000.00 (Five Hundred Thousand Dollars), and $ 50.00 each in
      purchases made ​​with your MasterCard, you earn 01 point to exchange for goods or services
      our partners.
      Warning: Though it was already participating in, your login will be released only after the next billing cycle.

SonicWALL Gateway AntiVirus provid
es protection against this threat via the following signature:

  • GAV: Delf.EP (Trojan)