OddJob financial malware detected that allows accounts to be raided after a session is ended

New financial malware that has the ability to hijack customers' online banking sessions and keep it open after users logout has been detected.

Named ‘OddJob', Trusteer said that it had been monitoring it for a few months, but has not been able to talk about it until now due to ongoing investigations by law enforcement agencies, which have now been completed.

Amit Klein, CTO of Trusteer, said that reverse engineering of OddJob's code has found that it has been used by criminals based in Eastern Europe to attack customers in several countries including the USA, Poland and Denmark.

He also said that the most interesting aspect of this malware is that it appears to be a work in progress, as there are differences in the way that the hooked functions operate, as well as in the way the command and control (C&C) protocols operate.

“We believe that these functions and protocols will continue to evolve in the near future and that our analysis of the malware's functionality may not be 100 per cent complete as the code writers continue to refine it,” he said.

“OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.

“We have extracted OddJob's configuration data and concluded that it is capable of performing different actions on targeted websites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into web pages.”

He said that once gained from the user, all logged requests/grabbed pages are sent to the C&C server in real-time to allow fraudsters to perform session hijacks in real-time, but hidden from the legitimate user of the online bank account.

Klein went on to say that a key difference about OddJob from conventional hacking is that the fraudsters do not need to log into the online banking computers, they simply ride on the existing and authenticated session. OddJob can also bypass the logout request of a user to terminate their online session. As the interception and termination is carried out in the background, the legitimate user thinks they have logged out, while the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities.

The final noteworthy aspect of OddJob, according to Trusteer, is that the malware's configuration is not saved to disk; instead a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.

Klein said: “It is important to note that OddJob is just one of several pro-active malware applications that our research team sees on a regular basis, but its coding methodology indicates a lot of thought on the part of the coders behind the fraudware.

“Careful analysis and research is needed to reverse engineer and dissect fraudulent applications like OddJob, but our message to banks and their online banking users is unchanged. They need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving attack methods.”

Sign up to our newsletters