New Session-Stealing Banking Trojan Identified

Not open for further replies.


Staff member
Jan 24, 2011
Trusteer, a provider of secure browsing solutions, warns that a new banking trojan capable of hijacking online banking sessions in real time has been identified.

Dubbed OddJob, after Goldfinger's henchman in the Bond series, the trojan appeared a few months ago, but it was kept under wraps because of ongoing law enforcement investigations.

It's still very much a work in progress and Trusteer researchers have seen code modifications made as recent as a few days ago.

The trojan hooks into Firefox or Internet Explorer functions and monitors browsing activity on a predefined list of websites.

It can log GET and POST requests, grab full HTML pages, inject code and terminate connections.

All these features give fraudsters the ability to control a user's online banking session in real time without their knowledge.

A rather unique feature is the trojan's ability to intercept and bypass logout requests in to keep the sessions opened. The functionality provides even more time for attackers to abuse the victim's account.

Also, another interesting aspect of OddJob is that it doesn't keep a config file on disk. Instead, it reads the configuration directly from the command and control server each time a new browsing session is started.

"Our research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods," Trusteer's chief technology officer, Amit Klein, notes.

"Trusteer has already warned Financial Institutions that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark," he adds.

More details - link
Not open for further replies.