OddJob is the name Trusteer has given to an apparently new Trojan that keeps sessions open after customers think they have “logged off”, enabling criminals to extract money and commit fraud unnoticed. This malware agent shows how ingenuity can side-step many commercial security applications used to defend online assets.
The malware appears to be a work in progress. Trusteer has seen differences in hooked functions as well as the way the Command & Control (C&C) protocols operate over the past few weeks. These functions and protocols will likely continue to evolve, and analysis of the malware’s functionality may not be 100% complete as the code is being refined.
OddJob is designed to intercept user communications through the browser to steal or inject information, and to terminate user sessions inside Internet Explorer and Firefox. It can be configured to perform different actions on targeted Web sites, such as logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages. All logged requests and grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks in real time, but hidden from the owner of the online bank account. By tapping the session ID token used to identify a user’s online banking session, fraudsters can electronically impersonate the legitimate user and complete a range of banking operations. They simply ride on the existing and authenticated session.
OddJob is also able to bypass the logout request of a user to terminate their online session. Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, but the fraudsters remain connected, allowing them to maximise their profit.
OddJob’s configuration information is also not saved to disk in order to avoid detection. Instead, a fresh copy of the configuration is fetched to memory from the C&C server each time a new browser session is opened.
Trusteer has been monitoring OddJob for a few monthswhile law enforcement agencies have been investigating attacks. Trusteer’s research team has reverse engineered OddJob’s code, down to the banks it targets, and its attack methods. OddJob is being used by criminals based in Eastern Europe to attack their customers in many countries including the US, Poland and Denmark.