A new Trojan that has been plaguing online banking customers in the US, Poland and Denmark for the last three months has now reached British shores.
The code seems still to be a work in progress. While we have been monitoring it, we have seen it change before our eyes and develop.
The OddJob Trojan banking malware aims to hijack bank customers' online sessions in real time so it can keep the sessions open, even after users believe they have logged out. The malware then allows a criminal to carry out illegal transactions, such as transferring money out of an account.
OddJob was discovered three months ago by researchers at Trusteer Inc., an Israeli company that specialises in banking security software, but was recently announced publicly following investigations by law enforcement agencies.
Trusteer confirmed the code appears to emanate from a gang working in Eastern Europe, and that bank customers in the US, Poland and Denmark have already been targeted.
"We have also started to see some new attacks carried out against UK banks in recent days," said Oz Mishli, a malware analyst at Trusteer.
Mishli explained that OddJob differs from other banking Trojans, such as Zeus and Silon, in that the fraudsters using it do not need to login to the online banking account: They simply ride on the existing and authenticated session. They can also bypass the logout request of a user to terminate his or her online session. So, while the user believes the session is closed, the criminals are free to carry on with transactions and clear cash from the account.
According to Mishli, users become infected by going to an infected site. The Trojan bank virus downloads itself into the user's browser, which could be Internet Explorer or Firefox , where it waits for the user to carry out transactions with a targeted bank.
Using a process of non-case sensitive pattern matching, the malware code searches for targeted banking sessions and alerts the criminals once a session is in progress. At this point, the malware downloads a fresh version of its configuration from the command-and-control server, rather than storing it on the local disk where it might arouse suspicion.
Trusteer said OddJob is capable of performing different actions on targeted websites, depending on its configuration, such as logging GET and POST requests, grabbing full pages, terminating connections and injecting data into webpages.
"The code seems still to be a work in progress," Mishli said. "While we have been monitoring it, we have seen it change before our eyes and develop."