OddJob: the next phase in the evolution of cybercrime?
Trusteer has found a new banking trojan: OddJob.
“We have found,” said Trusteer’s CTO Amit Klein, “a new type of financial malware with the ability to hijack customers’ online banking sessions in real-time using their session ID tokens…
“The most interesting aspect of this malware,” he continued, “is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware’s functionality may not be 100 per cent complete as the code writers continue to refine it.”
I asked Luis Corrons, technical director at PandaLabs, what he thought about OddJob. “From the technological of view-point,” he answered, “it is smart; though I remember a Zeus variant I looked at some years ago that had a similar behaviour. It didn’t do anything about the ‘log out’ option, but was not stealing the user credentials either – it was just replacing the information that the user was introducing when doing online money transfers.
“The problem with the OddJob trojan is that all the banks that take the security of their customer seriously require extra authentication for certain transactions (such as money transfers) so having the ability to ‘steal’ the user session is useless to steal money. Zeus released a new version back in 2010 that was capable of circumventing a 2nd factor authentication using a different device (mobile phone), and that is really challenging as it is one of the best protection methods implemented so far.”
So it appears that OddJob is a bit of an anomaly: it is new and sophisticated; but apparently not as dangerous as Zeus/SpyEye. So why bother when you could simply hire SpyEye? Back to one of Amit Klein’s comments: “it [OddJob] appears to be a work in progress.” That reminded me about a conversation I recently had with Bradley Anstis, VP, Technical Strategy – M86 Security. Bradley was explaining the evolution and merging of Zeus and SpyEye. “Whenever you think of Zeus,” he explained, “cross it out and replace it with ‘SpyEye’. Zeus used to be the dominant banking trojan; but its creator seemed to decide that he’d had enough of the limelight – and he’s actually given the source code to the creator of SpyEye. Now they’re working together on SpyEye, which has taken over the throne from Zeus. Already in the last month we’ve seen new versions of SpyEye come out that are getting more complex and more complicated all the time.”
Bradley went on to explain what he expects to see in 2011. “We think in the next year financial trojans will move away from just being oriented against banks. Any organisation that does financial transactions on the internet should be thinking now about updating their knowledge about these banking trojans, and how they could affect their business transactions in the future – companies like Amazon and eBay have user accounts that could well be targeted.”
The simple fact is that cloud computing is providing a new model just as much for cybercrime as for cyberbusiness: crime is cheaper and easier to use than ever before. And there is little doubt that OddJob is designed to make use of cloud opportunities. One “noteworthy aspect of OddJob,” comments Amit, “is that the malware’s configuration is not saved to disk – a process that could trigger a security analysis application – instead, a fresh copy [and therefore the latest version] of the configuration is fetched from the C&C server each time a new browser session is opened.” So using the cloud model, it is easy to envisage a ‘theft to order’ approach run from the cloud (actually, it is already with us); and it’s just possible that this ‘work in progress’ is an early view of a new development in the evolution of cybercrime.