OddJob Trojan hijacking banking sessions

gallery

A financial Trojan able to hijack online banking sessions has been spotted.

Trusteer named the new piece of malware OddJob, noting how it could keep banking sessions going even after customers believed they had logged off.

OddJob was used to log requests, grab full pages, terminate connections and inject data into web pages, with all activity relayed to a command and control server.

The malware was able to get hold of session ID tokens, which were used by banks to identify legitimate users, giving cyber criminals the cover they needed.

According to Trusteer, the most significant difference between OddJob and standard pieces of malicious software is that the former only requires the hacker to ride on an existing session, rather than logging into specific online banking computers.

The hackers, based in Eastern Europe, hit financial institutions in the US, Poland and Denmark.

However, the malware could easily be used to acquire funds from any country, explained Amit Klein, Trusteer's chief technology officer, who described OddJob as “fairly exceptional.”

“We definitely expect it to spread across Europe, into the UK etc,” he said.

Klein said the most impressive aspect of OddJob was its speed of evolution, telling IT PRO it will definitely improve as time goes on.

“The malware is still under development. [In the future] we don’t expect to see what we see right now,” Klein added.

OddJob has been seen spreading via drive-by downloads, where users head to a booby-trapped website and have malware installed on their systems without any knowledge of it.

Klein said Trusteer had been unable to report on OddJob until now due to ongoing investigations, although these have now come to a close.

The most well-known financial Trojan in the security industry is Zeus. Foreign Secretary William Hague recently admitted the UK Government had been targeted by the notorious malware.

Email to a friend

Print this page