http://news.softpedia.com/news/rete...-to-target-customers-of-uk-banks-505679.shtml Retefe Banking Trojan Uses Root Certificate to Target Customers of UK Banks The most recent Retefe campaign leverages spam email that distributes documents laced with malicious JavaScript code. When users open the document and double-click an image embedded inside it, the JS code does two things. It first downloads and installs a rogue root certificate, and then changes the operating system's proxy auto-config settings. Retefe adds its own root certificate, changes proxy settings When installing the root certificate, users barely get a glimpse of a popup that asks them to confirm the action, because the trojan uses a PowerShell script to automatically click yes in this popup. Avast researchers have broken down Retefe's most recent trick, and they say the popup (seen below) asks the user to approve the installation of a root certificate that claims to be from Comodo. In fact, Avast explains the certificate is issued by "me@myhost.mydomain" and has nothing to do with Comodo. While all this is happening, Retefe is also setting up a proxy connection, which will redirect some traffic through a Tor website. Crooks target a few UK banks (NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury's Bank, Tesco Bank, Cahoot, IF.com), but also generic traffic going to *.com, *.co.uk domains.
So does security software that install their own certs for banking, etc... protect against the mentioned attack?
The security vendors whom perform SSL/TLS protocol scanning for the most part do not use a local host proxy server to decrypt and scan encrypted traffic. They install a NDIS mini-port network adapter driver to do the scanning at the network stack level. For a parallel to what this malware is performing, refer to prior postings on the Lenovo Superfish issue that occurred a while back.