According to Amit Klein, CTO of in-browser security specialist Trusteer, OddJob is a new type of financial trojan that hijacks customers' online banking sessions in real time using their session ID tokens.
OddJob, he claims, keeps online banking sessions open after customers think they have logged off, so enabling criminals to extract money and commit fraud unnoticed.
This, he says, is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies.
"It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital – and online monetary – assets" he said in his security blog.
After reverse engineering the malware, Klein says that Trusteer has warned financial institutions that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries, including the US, Poland and Denmark.
"The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate", he said.
"We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100% complete as the code writers continue to refine it", he added.
OddJob's most obvious characteristic, says Klein, is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.
By tapping the session ID token – which banks use to identify a user's online banking session – Trusteer's CTO says that the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.
The most important difference from conventional hacking, he says, is that the fraudsters do not need to log into the online banking computers – they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event or train station.
"The final noteworthy aspect of OddJob is that the malware's configuration is not saved to disk – a process that could trigger a security analysis application – instead, a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened", he said.
"It's important to note that OddJob is just one of several pro-active malware applications that our research team sees on a regular basis, but its coding methodology indicates a lot of thought on the part of the coders behind the fraudware", he added.