Description
The Win32/Bancos family name is used to describe many varied trojans, which all share one common feature
- they attempt to steal sensitive information that can be used to gain unauthorized access to bank
accounts via Internet Banking. The name Bancos is representative of the fact that most variants target
Brazilian banks. The first Bancos trojan was discovered in 2003, and there are now well over 2,000
distinct variants, with more being discovered every day.
Some members of the Bancos family act as keyloggers, tracking keystrokes that the user enters into
particular web pages. Others use phishing techniques, displaying fake login windows for particular
banks, then capturing the information that is entered into them.
Once the information is captured, it is usually sent to another party, presumably the trojan's author.
It may be sent via e-mail or uploaded to a remote server via FTP or HTTP.
The Win32/Bancos name is also applied to programs that don't steal information directly, but instead
silently download and execute other programs that do. Some variants are also packaged in "droppers"
along with clean programs that are run to distract the user from noticing the trojan's presence.
Analysis by Hamish O'Dea