Financial Malware Hijacks Online Banking Sessions 161
Orome1 writes "A new type of financial malware has the ability to hijack customers' online banking sessions in real time using their session ID tokens. The OddJob Trojan keeps sessions open after customers think they have 'logged off,' enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital — and online monetary — assets."
Bank, please explain me once again... (Score:2, Interesting)
Re: (Score:2)
Re: (Score:1)
Easy. Use an online banking software independent from a browser with a decent security system (card reader).
Use paper money. (Score:2)
Re:Bank, please explain me once again... (Score:4, Interesting)
www.ubuntu.com
works great, and this trojan cant work on it....
WEll I take that back. Install the Wine packages and then run the winetricks.sh to install Internet explorer and you can get this working under linux.
Sorry, there is no non techie way to get this trojan working under linux. I guess you will have to suffer with a more secure OS for your banking, instead of complete windows compatibility with the insecurity.
Re: (Score:2)
Re: (Score:1)
... I guess you will have to suffer with a more secure OS for your banking...
So, you are suggesting security by obscurity?
Re: (Score:2)
When ever I hear Linux as a solution to Trojans/Viruses/etc, I can't help but remember when I was a script kiddy, and how we'd run a few scripts, on a few machines, that would scan an teh internet, and root a fuckload of boxes. Seriously, it was so easy, and the scripts we had would completely root the machine, then fix the hole.
Usually it was a problem with things being misconfigured or un-updated. These weren't just trojans we'd install, they were hardcore rootkits, that you weren't getting rid of anytime
Comment removed (Score:4, Insightful)
Re: (Score:1)
Newsflash: People want to actually use their computer, and generally that takes Linux out of the equation.
You do realize that most of the people on /. won't be able to read that due to heavy use of flashblock.
Jes' sayin'.
Re: (Score:1)
Really? It's called an application. You write one specifically for the bank. Also the cost of the electronic transfer doesn't have anything to do with the problem.
Re: (Score:1)
Really? It's called an application. You write one specifically for the bank. Also the cost of the electronic transfer doesn't have anything to do with the problem.
That doesn't work, either. The only way to commercially viable would be for a third party to sell such a package (and I used to be in that business). However, if such a thing becomes prevalent enough, it will get hacked as well. Plus, it has to go over the internet anyway unless you expect bank customers to use speical hardware.
It's amazing how simple things are when looked at by uninformed people.
I assure you, it is not as simple as you seem to imply.
Re: (Score:1)
Well, depends on the bank. I use a native linux application for online banking (moneyplex), so it is possible.
Re: (Score:1)
As long as they use some kind of virtual machine / presentation system that is supported by multiple platforms, then there would be no problem.
It'd need some way of presenting text and graphics (using some standardised system to represent that data), a way to control the rendering of that media and finally, a way of describing how interactive client-side behaviour would operate. If everyone agrees on how these three features would be described and represented, as well as how the network protocols would oper
Applications do not have to come from banks ... (Score:2)
And I'm sure the bank will get on that Linux version of the application right away.
Companies like Intuit seem to have no problem connecting to various major banks and performing online financial transactions. What makes you think that the banks have to write the application?
Bank customers, please explain me once again... (Score:2)
... why you choose to bank with a bank that doesn't support your choice of OS & doesn't take security seriously?
Re: (Score:2, Informative)
You didn't read further...
The most severe unpatched Secunia advisory affecting Linux Kernel 2.6.x, with all vendor patches applied, is rated Less critical
The most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical
Don't even get me started on Microsoft applying patches on patches without reporting it to users.
Here's where you are wrong: By Microsoft's own admission, Windows 7 kernel is the same as Windows Vista kernel only adding new fea
Re: (Score:2)
KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/22/2011) = 11% (6 of 57 Secunia advisories)
http://secunia.com/advisories/product/27467/ [secunia.com]
---
KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/22/2011) = 5% (13 of 247 Secunia advisories)
http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]
---
From these sites, "Statistics for 2011", Criticality: Windows 33% Highly 67% Less; Linux 33% Less 67% Not; Where: Windows 67% From remote; 17% from local network; 17% Local system; Linux 100% Local System.
Looks like Windows is much more vulnerable to remote, critical attacks than Linux. The impact graph also makes Windows look bad. Going back to 2010 doesn't help Windows case either.
Re: (Score:2)
Try reading the definitions for the classifications. You CAN'T turn a "from local" into a "from remote". Vulnerability is also measured with respect to the average, so it doesn't really matter what you use or don't use personally.
I'll try to make this simple (Score:2)
An installed malware is considered "from local", even if it is running from a remote system. A user had to grant the application access.
Re:single Linux distro (Score:2)
Na as soon as such a project gets started, a team will start fighting and a fork will appear.
Re: (Score:3)
P.S.=> Which, in the end, speaks MORE FOR ME, than against me... because, when ALL YOU HAVE IS EFFETE MOD DOWNS, that have NO TECHNICAL JUSTIFICATION BEHIND THEM? You're shown as "helpless henrys"... and you ALL know it! apk
I know, I know, don't feed the trolls.
I'll play along for a moment and keep pretending like the number of vulnerabilities are a valid measure of a system's security. Let's take a closer look at your secunia links: the number for the Linux kernel includes all vulnerabilities from 2003-2011. Windows 7 was released in October 2009. The most severe unpatched vulnerability in the Linux kernel is rated "Less critical," or 2/5. The most severe unpatched Windows vulnerability is rated "Highly critical," or 4/5.
Re: (Score:2)
First off, you'd probably do better in the credibility department if you stopped posting anonymous.
Second, whether you're right or not about number of bugs in Linux vs Windows doesn't matter one whit. Linux is more secure than Windows because security through obscurity is a real concept. Just as no one is going to rob a house that only has a coffee table and a gallon of spoiled milk in it, no one is going to spend a lot of time and effort designing a Linux theft-malware, because they can steal a lot more mo
Re: (Score:2)
I wasn't trying to draw a distinction in merit between registered users and AC's. But when the AC starts yelling, typing in bold, calling people names "lusers, etc," and starts trying to get into a pissing match about who's accomplished more than who, they're living up to the "coward" part of the AC handle.
If you're gonna come on here and fling insults, and jockey about acting as though you're better than everyone else, at least have the guts to register a name so that you have to face the consequences of y
Re: (Score:2)
Relax, we know it's you.
so where's the list? (Score:3)
No one thought it important enough to list the banks being targeted? Or is this "professional courtesy" on the part of whatever law enforcement agency is conducting the investigation to leave all of the banks' customers in the dark, lest the banks get a bad rep?
Re: (Score:2)
Even if they did provide a list, all it would do is offer false complacency to the people whose banks weren't on it. As TFA notes, the trojan is continually being updated, and it's reasonable to assume that they're adding capabilities to attack more banks on a regular basis.
Re: (Score:2)
Why? (Score:4, Interesting)
Re: (Score:2)
Probably because a lot of banks have online systems that seem to be written by Microsoft junkies or people that barely have a Freshman's level of knowledge about programming.
I was dealing with a credit card company web site yesterday (that will remain nameless) that was popping up messages in Firefox and IE8 that it required IE4 or IE5 just yesterday. I also have an account at a regional bank that has similar problems and seems to be stuck with a system that is so strait jacketed by their code that they wo
Re: (Score:2)
Re: (Score:3)
Do tell-- how would you avoid this issue? The problem isnt crappy coding on the bank sites, but that these viruses have control over the desktop and are giving real-time control to a remote operator. How is the bank to know that someone else is controlling the workstation?
Re: (Score:3)
There's already at least one virus that successfully worked around this with a man in the middle attack: Instead of trying to make a payment directly, it modified a payment you were making. Of course the bank prompted for an authorisation code, but as the user was making a payment they were expecting this, and promptly entered the details, sending some random amount to an account controlled by the virus writers.
The really clever bit was that it also re-wrote the screen display, to make it appear as though
Re:Why? (Score:4, Informative)
This is why although my bank has a security token thing (it's actually a small Chip & PIN terminal requiring you have the card and know the PIN) it only ever requires this be used when you set up a new payee and the first time you send money to that payee. So outside of a bank customer setting up a new payee anyway and the returned codes being intercepted to set up a different payee quickly enough the best a trojan can do is see your account statements, transfer money between your own accounts and pay money to people you already expect to pay. Yes, this means they can fuck with you, but they can't usefully (to them) steal your money.
Oh, and now I think about it they couldn't usefully do the MITM either, as the input is partially based on the receiving account number or somesuch. So unless they bad guys have an account that matches sufficiently closely the authorisation codes are going to be useless to them.
They have big fat warnings up about how the thing will never be asked for simply for logging in (not that I expect that would stop some stupid people falling to a MITM attack).
Re: (Score:3)
ZTIC? (Score:3)
What is ironic is that IBM Zurich was predicting this exact type of attack.
This is why they made the ZTIC prototype, and is why UBS is using it under their name of the UBS Access Key.
Why is the ZTIC so unique that IBM made it? Couple reasons:
1: Simplicity. Plug it in a USB port, it makes a secure connection through the computer to the bank, and no matter how trashed the host computer is, the worst it can do is stop the connection. It confirms access and transactions on the device, so even if the web bro
Re: (Score:2)
I have like six or seven financial accounts. One token is fine but by six or seven you start to get fed up.
Re: (Score:2)
Re: (Score:2)
For those of us without cell phones, would there be any serious issues with being able to use one OTP generator for multiple sites? A trust authority issues them, and can verify that you are you to the given organization. A keylogger could gank the code and use it for something else, sure, but if I'm not mistake nthat could happen anyway with per-site.
Re: (Score:3)
It sounds like this isnt hijacking that hardware dongle's "token", but the browser's login "token". That is, the user clicks "log off", but the trojan intercepts that request and presents a phony "logged off" page, while keeping the session open (or alternatively keeps the session open after the browser is closed). It then relays to the C&C server "hey, i have an active bank session here!", where someone operating said server can relay commands to the trojan. At this point, said operator basically ha
Re: (Score:2)
As the parent was saying, the token is also used to confirm the transactions after they've been entered - the bank, naturally, doesn't trust the session until it times out or is logged off.
This same process is also used by my bank on the other side of the world - this closes many potential vulnerabilities - this one with the expiring session; phishing (since even if you get the user to login to a fake site, you can't transfer the funds), cross-site scripting usages to submit data to bank sites, etc. Heck, i
Re: (Score:1)
Unless it's a signing token (where you enter the payment details to generate the secureity code) this won't necessarily help, since this sort of man-in-the-browser attack is able to modify the payment details that you submit to the Bank's server... and at the same time modify the confirm/receipt screen served back to you, so that from your perspective it looks like you performed your intended transaciton (and entered your token security code), but in fact, the payment has gone off to the attackers desired a
always close your browser. (Score:2)
Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.
Re:that would not help. (Score:1)
Re: (Score:2)
Re: (Score:2)
OK. I'll have to turn back to "use an OS that cannot run EXEs and hope it takes very long to deploy a
Re: (Score:3, Informative)
Re: (Score:1)
It is transmitting the session information to a server.
Re: (Score:2)
Which is why I always close my browser after a banking session. I only have one browser open, and only a single tab on that browser. All sessions, cookies, history, cache is deleted when I close my browser. This helps, but may not stop these kinds of attacks.
1. This only holds true if you either
A) Use porn mode on your browser
B) Set up your regular browser to automatically delete everything
2. Even if you do #1, it will not help against this particular Trojan, since it hijacks the session.
Even TFS should have given you enough information to conclude that closing your browser and clearing your cache isn't going to do shit.
Re: (Score:2)
if you take the time to log out rather than just close your browser, the session is dead.
Re: (Score:2)
TFA notes that the trojan intercepts the logout request and prevents the server from actually logging you out, even if you think you're logged out client-side.
Re: (Score:2)
It seems to me that if everyone here had actually read the article, about 80% of these comments would never have been posted.
Re: (Score:2)
Re: (Score:2)
So what you need to do is unplug your computer from the internet for 30 minutes (or however long it takes for the session to expire) after each online banking session. And hope that the banking site validates session ids against IP addresses....
Re: (Score:2)
Which is why I always close my browser after a banking session.
Which is why I always use a secure OS and a secure browser to do my online banking.
If you use Internet Explorer on Windows, "closing" your browser is not enough. Internet Explorer is part of the OS, and keeps on running in the background even if no window of it is showing.
Re: (Score:2)
If you have a virus on your computer, it doesnt matter what OS or browser you use. This thing could be a usermode rootkit running a usermode driver, intercepting all network calls made by said user and rerouting them. Once you have the virus its too late.
Its only market share which has saved Linux and Mac from getting their comeuppance; a good number of the flaws out there would have no issue exploiting the PDF or Flash or Java plugins through Firefox running on Mac or Linux. Even up-to-date plugins have
Re: (Score:2)
That is not correct. Claiming "it keeps on running" implies that there is a process or thread open using iexplore.exe, which is not true. Ieframe.dll is used by explorer, but if you close explorer that dll handle also closes.
It is tied into the OS in that it is used for rendering quite a lot, from help files to web pages to Steam's interface, but I dont see any reason you cant close all IE handles.
Close browser not just log out (Score:3)
Hence the suggestion that after using online banking, you close the browser not just log out of the session. Or would this not help with this malware?
Re: (Score:2)
It would not help with this malware. The malware keeps the session open; that is in fact how it operates and why it is so novel.
Re: (Score:1)
It runs as a separate process from the windows shell there poindexter, so when you close it, the session really does go away.
Anyway, the way this technique works, once the session is successfully hijacked, even turning the computer off isn't going to help any.
Re: (Score:2)
The article says that OddJob targets both Internet Explorer and Firefox, so apparently just switching to Firefox would not be enough.
As a Linux user, I noticed that the article does not mention anything one way or the other about other operating systems such as Linux or Mac OS. The article also does not mention other less common browsers such as Opera. If there were enough Linux users to be worth targeting, I wonder if they could come up with a Linux version of OddJob, or not?
Real Issue or Ad? (Score:5, Informative)
From the source site (the blog at http://www.trusteer.com/ [trusteer.com]
"The good news is that Trusteer's Rapport secure web access software- which is now in use by millions of online banking customers - can prevent OddJob from executing."
Now, I don't know Trusteer's rep, but when I see a story like this that originates from what appears to be a source that's in the business of selling security software, I want a second opinion from another source. A quick "google" for OddJob finds stories that all seem to tie back to Trusteer's blog entry. This story also doesn't say much about platform sensitivity. Is this an issue on any OS platform that uses Firefox, for example?
Re: (Score:2)
Any real security company would either say "you're hosed on this platform" or "do x, y, and z and you'll be fine."
I say it's an ad.
Re: (Score:2)
Re: (Score:2)
Of course, I might have missed it. Did anyone else see it?
Not good (Score:5, Informative)
http://www.computing.net/answers/security/rapport-security-software-avoid-using-it/28295.html [computing.net]
This product is to be avoided at all costs...if anyone is still having problems, I have managed to switch it off and uninstall it, altho' the Rapport/Trusteer team clearly did not want to help, and many believe it's not intended to be uninstalled.
Re: (Score:1)
No idea how good it is though. I hardly notice that it is running, even on my old 1GHz laptop.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Jobs for programmers on both sides. AV vendors get huge profit. Win-Win situation!
Um, this is news because...? (Score:2)
No matter what browser you're using - unless it is Lynx - you probably can be involved in a session hijack issue. UNLESS you forcibly close that session by closing your browser.
I saw a post about using Wintendo. I don't think that Windows or Linux or OSX are any more or less vunerable. Just the fact that people don't forcibly close sessions.
Now, where did I put that copy of Firesheep?
Re: (Score:2)
UNLESS you forcibly close that session by closing your browser.
Doesn't help. Web servers do not (and cannot) know when your browser has been closed.
Besides, if the hijacker has done their job properly and you've only ever been communicating with the server you think you're connected to via their proxy, you can't disconnect unless they let you do so.
Re: (Score:2)
You could boot up your PC using a read-only Linux CD before you initiate your session with the bank. You can always checksum the CD to ensure at-minimum that your PC client is clean.
Re: (Score:2)
Okay, so basically it sounds like the programmers did a poor job of implementing state.
Whenever I've done an application (which I don't anymore being a PHB) I always forced closed a session on either logout or browser disconnect. (You never know when that BSOD might hit for those using windows.)
Ah, well, I guess my 75-year-old father-in-law is right in that he refuses to do online banking and insists on going into the branch for every single transaction.
Can a persistant connection protocol solve this? (Score:2)
A http protocol that, instead of (connect, download, disconnect), allows for a sustained connection throughout the session and then a final disconnect when the session concludes. A persistent connection could mean that your credentials would be valid only for a single connection and logging out would sever that connection and invalidate the credentials. I am sure the idea has been tossed around and thrown out already, but I am curious.
Re: (Score:2)
Hmm, good thoughts. Thanks.
Live CD (Score:1)
Safest way to bank online is to use a Linux LiveCD.
No need to learn Linux, nor even install Linux. Simply boot to a Linux live cd. Nothing is written or saved to anywhere on the computer, so nothing for anyone to copy. It's not booting into windows, so no trojan/virus is there to affect it.
Better explanations here, and a simple howto:
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html [washingtonpost.com]
http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on. [washingtonpost.com]
Re: (Score:2)
Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.
Re: (Score:2)
I go the netbook route - they're cheap and disposable. I have one running Linux, and the ONLY thing it does is banking. When I've finished paying my bills, it gets shut down and put back on the shelf.
Seriously, it's one of the great uses of a netbook - dispoable appliance computing.
Re: (Score:2)
Even better if you are a little technical, set up a "frugal" boot partition. This will unpack and boot a CD image much faster than booting from CD and when you power down it doesn't keep any state. No viruses survive the reboot.
Since it's on writable media, this is only true until someone writes a more sophisticated piece of malware. The same applies to a Live CD on a CD-RW to an extent. A Live CD on a finalized CD-R really is immutable.
Re: (Score:1)
Re: (Score:2)
Yeah yeah yeah and the FBI can point a laser at your window and listen in to your conversations. But practically speaking, booting off a CD image in it's own partition into an operating system that is known to be more resistant to malware is pretty secure. It's is more secure than how people handle the rest of their lives (their front door locks, their car, handling their credit card receipts, etc.).
Re: (Score:2)
As long as you trust the source of the LiveCD and it is on non-rewritable media, this is the best solution. The only vector left for the malware writers would be to store their malware in Flash memory in the GPU, NIC, or system chip sets in order to survive a reboot. If nothing is persistent on that machine then the malware has no place to hide. Each time the LiveCD comes up clean despite the state of the possibly infected 'normal' boot disk. Just don't surf the web prior to d
a new type of financial malware? (Score:1)
"A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens"
What ever you do don't mention Microsoft Windows .. :)
"OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox"
How does the OddJob 'financial malware' get on the computer in the first place. What D
Transaction signing (Score:2)
Some banks in Sweden signs the online-transaction with a key generated by a standalone card reader where you enter a security token + date + amount + pin. The key generated is unique for your specific transaction and cannot be hijacked.
The downside is that there's a bunch of numbers to input on the card reader but I would say it's almost foolproof security-wise.
100% Safe Banking... (Score:2)
...@ the teller window.
I appreciate online banking for those who NEED it, but I don't and don't want to worry about the 4 electronic devices I carry being hijacked someway to get at a bank account.
Re: (Score:3)
2 Cents (Score:1)
1. Never ever log in from work.
2. Use a virtual machine w/ Minimal install of non Windows OS
3. Only use the VM for banking. Close it when done.
Re: (Score:2)
If you use an Ethernet connection (not wireless) than you should always use bridged networking rather than NAT for your VM.
Banks need to push out VMs (Score:2)
These days, attacks are becoming increasingly sophisticated and the level of security required by banks has not really increased as the level of sophistication and tech savvy of their customers has not increased.
If the banks were to team up with an established and/or hungry VM software vendor such as VMWare or Oracle (current VirtualBox owner), perhaps a "program" which is actually a carefully created VM host application which contains a securely locked down VM running within, could better serve the needs o
Re: (Score:2)
Doesn't work – you can modify the VM's memory contents and read/mutate its I/O operations from the host machine. It would in many respects make the attacker's job easier as they would only have one OS/browser version to go at.
Re: (Score:2)
You mean it would be impossible to encrypt the VM's running memory? I seriously doubt that would be impossible. Once encrypted, it should be a great deal more difficult to attack.
I know nothing can be perfect, but that is as near perfect as anyone should be able to get on a Windows machine.
Re: (Score:2)
A live CD doesn't store useful information and requires rebooting... yeah, still, probably a better idea... or even a flash drive with live OS on it. At least in that case, reports can be generated and placed on an area of the drive readable by the user so they can import/export their quickbooks or what-not.
Re: (Score:2)
Wow... seriously? You don't think I know what I am talking about? Been on here a long time and probably in the industry longer than you have been alive.
Yes, a VM... a VM appliance, more precisely. There is already VMWare player and there is already free VM host software out there. The trick would be to package up the VM files and the player/host into a single package that can be run conveniently and simply. I could be a pointy-haired boss and still know that this is a workable solution. Hell, there wa
No? (Score:2)
Trojan.PWS.Egold has been around for at least 5+ years that does effectively the same thing.
I look forward to the results (Score:2)
But does it run on Linux??! (Score:2)
My main question is "Does it run on Linux or Mac?". I suspect not from reading between the lines but it would be useful to know.
Ad... (Score:1)
technobabble <3 (Score:1)
Like putting too much air in a balloon!
Solution to 99.99% of bank phishing problems (Score:2)
Bank issues you with a little calculator like device containing a keypad and an internal secret number known to the bank.
When you make a transfer, you key the account number and the amount into the calculator and it prints a code that you key into the bank form.
If the code doesn't match what the bank calculated based on the submitted account number and amount, the transaction is rejected.