Delf.EP Trojan steals online banking passwords (Mar 25, 2011).


The Sonicwall UTM research team received reports of a new online banking Trojan in the wild. The Trojan’s sole purpose is to steal security credentials used to manage various online banking accounts. The Trojan targets sites such as paypal, mastercard and citibank. The Trojan is targeted exclusively at brazilian users but can also affect users from other countries.

The Trojan’s activity once it has compromised a machine is quite simple. It makes only a single modification to the file system once it has run.

The Trojan makes the following POST and GET requests to a remote webserver:

The Trojan downloads a hosts.txt from the remote webserver and places it at:

  • C:WINDOWSsystem32driversetchosts

The hosts file contains the following data:

This hosts file causes all of the above sites to point to the IP address of a malicious web server ( The malicious web server hosts a copy of pages at each of the original sites listed above. It should be noted that none of the redirected sites use the HTTPS protocol for secure communication.

The screenshot below shows a non-https brazilian copy of hosted on the malicious webserver:

Upon entering the username and password the following messagebox is displayed:

The screenshot below shows the default malicious page loaded for This page requests credit card information in order to obtain certain benefits:

Upon submitting the requested information the following page is displayed:


      Congratulations, your MasterCard was successfully registered in our database!
      Now you compete for prizes every month up to $ 500,000.00 (Five Hundred Thousand Dollars), and $ 50.00 each in
      purchases made ​​with your MasterCard, you earn 01 point to exchange for goods or services
      our partners.
      Warning: Though it was already participating in, your login will be released only after the next billing cycle.

SonicWALL Gateway AntiVirus provid
es protection against this threat via the following signature:

  • GAV: Delf.EP (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.