Sniff out banking Trojans with DeBank

Security company Damballa announced this week that the source code for SpyEye, one of the most dangerous banking Trojans around, has been leaked online. Which is good for researchers, as they can better understand how it works. But it also means that a malware kit that used to cost more than $10,000 is now available for free, so is expected to become an even more pervasive threat in the next few weeks.

No need to panic just yet, though, as coincidentally Finnish security company Fitsec has just released DeBank, a portable tool that can detect the presence of all five major banking Trojan families on the target PC: SpyEye, Zeus, CarBerp, Gozi and Patcher.

You probably have an antivirus package that will claim to do much the same thing already, but as all these malware variants are particularly good at avoiding close scrutiny then it makes sense to have something that can offer a second opinion. And DeBank does have a particular advantage, in that it doesn't use conventional signature checks, a technique that can be bypassed simply by packing the malware in a different way. Instead the program scans process memory for chunks of code belonging to each malware family, a much more reliable approach.

DeBank comes in the form of a Windows console tool, but is very easy to use. Simply launch the program -- running it as an administrator in Windows Vista or 7 (right-click, select "Run as administrator") -- and wait. Within a couple of minutes DeBank will either offer an all-clear, or name the suspect process if it's found something.

What DeBank can't do, unfortunately, is remove any embedded threat -- the program is strictly detection-only. So if it turns out your system is infected by something unpleasant then you'll need some additional help to clean it up; Malwarebytes Anti-Malware is probably a good tool try first.