Oddjob, a banking trojan more

A new player enters the malware scene targeting financial institutions with a name from the James Bond movie Goldfinger. It’s Oddjob trojan and I must admit the researchers from trusteer.com prove a lot of imagination giving the name of a deadly character to this newly discovered trojan.

The trojan code seems to be not finalized yet, rather in a beta stage or a testing phase and the analysis reveals that its creators from Poland(Eastern Europe) are striving to improve the code functionalities. At this moment banks from USA, Denmark, UK, Poland to name only a few, are the favourite targets of the trojan which acts in the adress space of the victim’s browsers Internet Explorer and Mozilla Firefox. This characteristic is common to almost all the banking trojans as Zeus or Spy Eye and well known to the security researchers.

The trojan injects itself in the browser adress space and monitor the web sessions hooking a few functions provided by wininet.dll and other Windows based system dll’s used by the browser. It has the ability to inject data into web pages, to monitor the browser requests as GET or POST and to log them, sending all the stolen informations including the browser sessions ID or token in real time to the Command & Control server.

A session token is generated by a server and consists from a randomly string used as identifier for the current session. once the user(client) is logged in, the server will generate this identifier which will be used either as a long string in URL, as a cookie(named sometimes as the Magic cookie) or as a parameter in the browser requests as GET or POST. The session token is valid only for a session, when the user log off from the bank site for example, it becomes useless.

Here is where the most notable particularity of this trojan comes into the role, using web data manipulation it can prevent the log off action performed by the user, in the same time he is tricked into thinking he was logged off without problems from the bank server. In reality, he was not and the hacker can use further the still existing session token to perform nefarious operations on the victim bank account. By preventing a true log off, the hacker gain more time for its actions.

A note:  it does not exists a direct connection between the hacker computer and the bank server as other security researchers sustain, instead for all of his actions the hacker uses the victim’s browser.

Another interesting particularity is the mode how it attempts to deceive the traditional antivirus methods of detection, for every new browser session the trojan updates itself with a new configuration downloaded from the Command & Control server and this configuration file is not saved to the harddisk. It’s a well known fact that every write-read operations performed on the harddisk are carefully monitored by the antivirus software, by not saving each time an improved configuration file, the Oddjob trojan tries to escape unnoticed.

Oddjob trojan it’s an attempt to be with a step ahead over the traditional security solutions but it’s not the case because the finacial institutions was alerted and contrameasures was taken however it demonstrates at least one thing : the malware creators proves more imagination, more skills and the battle between them and security vendors is far from an end, instead it increases in intensity.

Keep safe !

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *