New Financial Trojan OddJob Keeps Online Banking Sessions Open after Users "Logout"
Our research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods. Trusteer has already warned Financial Institutions that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark.
The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100 per cent complete as the code writers continue to refine it.
OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.
We have extracted OddJob's configuration data and concluded that it is capable of performing different actions on targeted Web sites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages.
All logged requests/grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks, also in real time, but hidden from the legitimate user of the online bank account.
By tapping the session ID token - which banks use to identify a user's online banking session - the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.
The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc.
Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass the logout request of a user to terminate their online session. Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities.
All matching is case-insensitive, and, using this process of pattern matching, fraudsters using OddJob are able to cherry pick the sessions and targets they swindle to their best advantage.
The final noteworthy aspect of OddJob is that the malware's configuration is not saved to disk - a process that could trigger a security analysis application - instead; a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.
The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing.
It's important to note that OddJob is just one of several pro-active malware applications that our research team sees on a regular basis, but its coding methodology indicates a lot of thought on the part of the coders behind the fraudware.
Careful analysis and research is needed to reverse engineer and dissect fraudulent applications like OddJob, but our message to banks and their online banking users is unchanged. They need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving attack methods.
For more information see http://www.trusteer.com/blog
Press releases you might also be interested in
Weitere Informationen zum Thema "Security":
Office 365 mit Netwrix Auditor effizient überwachen
Unternehmen, die auf Office 365 setzen, benötigen Lösungen um die Verwendung und Sicherheit der wichtigsten Dienste zu überwachen. Mit Netwrix Auditor kann ein Admin auf Exchange Online, SharePoint Online und OneDrive for Business ein Auge werfen. Parallel zu Office 365 lässt sich mit Netwrix Auditor außerdem auch noch das Microsoft Azure Active Directory überwachen.Weiterlesen