|OddJob, a malicious code that takesover user's account during Internet banking||--||03/14/11|
Written by HAURI Virus Lab.
Recently HAURI Virus Lab. received a report of a new malicious code which is called, 'OddJob'.
OddJob let hackers maintain online session connection by stealing token that issued by bank to takeover user's Internet banking account.
Once PCs are infected by OddJob malicious code, user's personal Internet banking information can be takenover by using Internet banking sites.
The malicious code is aimed at Windows-based PC, and designed for stealing user ID token session of twelve specific banks' accounts from US, Poland and Denmark.
If a user logs on to his/her account, OddJob steals its ID token session, and then tries to do hacking by connecting C&C(Connection Control) server in real-time. When session ends, cyber criminals can steal the information, too.
Not like other banking trojan, this OddJob malicious code does not store its composition code to user's system after downloading; however, it transfers new code from C&C server to user's system whenever web browser is opened newly.
[PIC 1] Inside script of OddJob 1
Like following image, it makes random swf files and tries to access to certain URL.
[PIC 2] Inside script of OddJob 2
[PIC 3] Inside script of OddJob 3
In the future, Internet banking will not be a choice, but an indispensable lifestyle, so this kind of security threat also will be increased steadily. Therefore, all Internet banking users must pay attention on using Internet banking, and have a valid Anti-Virus program with the daily engine update function on their system to protect the system against up-to-date malicious codes.