OddJob Trojan Prevents Online Banking Session Termination

Wednesday, February 23, 2011



A report by researchers at Trusteer details a sophisticated new strain of malware called OddJob that is being utilized to hijack online banking sessions.

The report indicates that cyber criminals have already successfully employed the OddJob trojan in several countries, including the United States, Denmark, and Poland.

The malware allows the attackers to execute banking transactions by piggybacking a legitimate user login and keeping the session open after the victim believes they have safely logged out of the account.

"All logged requests/grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks, also in real time, but hidden from the legitimate user of the online bank account. By tapping the session ID token - which banks use to identify a user's online banking session - the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations," the report from Trusteer states.

The OddJob malware is somewhat unique in that the attackers use an existing session and ID token to inject transaction commands, as opposed to trojans that steal authentication details to be used in a separate set of fraudulent transactions.

"The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc." the report continues.

The malware also prevents the victim from successfully logging out, though the target believes they have terminated the session, then allows the attackers to mix the fraudulent transactions in with legitimate ones.

"Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass the logout request of a user to terminate their online session.  Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities."

OddJob is difficult to detect with conventional antivirus software because the malware's configuration is not stored on the compromised device. A new version of the configuration is retrieved from the command and control server each time a browser session is opened.

Trusteer also states that the malware seems to be a work in progress, noting changes to the command and control protocols over time.

The company recommends banking clients be vigilant and monitor accounts closely for unauthorized transactions.

Source:  http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-logout

Possibly Related Articles:
Viruses & Malware
fraud Trojans malware Banking Headlines Online OddJob Trojan
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.