TSPY_ODDJOB.SMA

This spyware is noteworthy due to its capability to hijack user session as a user is logged in target websites. It also sends the gathered information to the server in real-time. This allows the attacker to conduct transactions even if the unsuspecting user believes he/she has logged out of the account. This technique then allows the attacker to bypass authentication methods used by banking websites.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware sends the gathered information to the server in real-time, it may hijack user session as a user is logged in. This allows the attacker to conduct transactions even if the unsuspecting user believes he has logged out of the account. This technique also allows the attacker to bypass authentication methods used by banking websites.

It may be injected into certain processes.

Once any of the Internet browsers is executed, it hooks certain APIs to monitor user browsing activities and intercept HTTP traffic.

This spyware may be dropped by other malware.

Arrival Details

This spyware may be dropped by other malware.

Information Theft

This spyware accesses the following site to download its configuration file:

• http://{BLOCKED}ns.ir/desire/startup.php?id={value based on volume serial number}&ver={version}&btype=0

It attempts to access a website to download a file which contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains the following list of targeted bank-related websites from which it steals information:

• *available*balance*
• *balance*available*
• *shared/generate/generateimage.aspx*
• *security*challenge*
• *secretword*
• *secret*word*
• *your*identity*
• *challenge*question*
• *public*computer*
• *obdesktopmultifactor.aspx*
• *securityauthentication.aspx*
• *enter*your*login*pin*
• *domestic*wire*
• *wire*transfer*
• *cash*management*
• *ebc1961.asp*
• *checking*
• *saving*
• *citizensbankmoneymanagergps.com*
• *wcmpr*
• *microsoft.com*
• *viewmorepics.myspace.com*
• *comment.myspace.com*
• *friends.myspace.com*
• *profileedit.myspace.com*
• *bulletins.myspace.com*
• *elosnok.com*
• *messaging.myspace.com*
• *musicsearch.myspace.com*
• *home.myspace.com*
• *topartists.myspace.com*
• *webbuying.net*
• *collect.myspace.com*
• *comments.myspace.com*
• *fe.bidz.com*
• *browseusers.myspace.com*
• *abcsearch.com*
• *license.hotbar.com*
• *estsc.msn.com*
• *mediaservices.myspace.com*
• *searchservice.myspace.com*
• *trafficexplorer.com*
• *kenexa.com*
• *wfrecruiter.com*
• *pcrecruiter.net*
• *recruiter.monster.com*
• *recruiter.hotjobs.yahoo.com*
• *broward.org*
• -*musicservices.myspacecdn.com*
• *massivebacklink.com*
• *theincometaxschool.net*
• *surveynetwork.com*
• http://**.js*.css*.jpg*.gif*.png
• *myspace.com*
• *thehorizonoutlet.com*
• *t-mobile.com*
• *earthlink.net*
• *verizonwireless.com*
• *symantecstore.com*
• *amazon.com*
• *lowermybills.com*
• *secure-cash.net*
• *wireless.att.com*
• *sprintpcs.com*
• *onlinecreditcenter6.com*
• *ameriprise.com*
• *vzw.com*
• *yahoo.com*
• *adultfriendfinder.com*
• *taxactonline.com*
• *intuit.com*
• *facebook.com*
• *ebay.com*
• *hotmatch.com*
• *comcast.net*
• *monash.edu.au*
• *shaw.ca*
• *mail.google.com*
• *ebc_ebc1961*signout*
• *wachovia.com*signoff*
• *web-cashplus.com*logout*
• *usbank*logout.do*
• *citibank.citigroup.com/cbusol/quit.do*
• *53.com/webaccess/cgi-bin/logoutconfirm.cgi*
• *53.com/express/logoff.action*
• *invalidate-session.jsp*
• *hsbcnet.com/uims/portal/logoff*
• *hsbc*logoff**/logon/cpexit*
• *passmark/signin.do*
• *sk=*sce=*
• *pm_fpua*mozilla*
• *.53.com*
• *.comerica.com*
• *hsbc*launching*
• *tmcb.calbanktrust.com*dashboardview*
• *https://sma.alaskausa.org*get-board-image**multifactor/lib/rendertext.aspx*
• *bharosa/getimage.aspx*
• *bharosa_keypad*
• *available*balance*

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}ns.ir/desire/data.php?id={value based on volume serial number}&ver={version}&btype=0

NOTES:

Other Details

Based on analysis of the codes, it has the following capabilities:

It may be injected into the following processes:

• aexplore.exe
• avant.exe
• firefox.exe
• iexplore.exe
• maxthon.exe
• myie.exe
• myie2.exe
• SVCHOST.EXE

Once any of the Internet browsers is executed, it hooks certain APIs to monitor user browsing activities and intercept HTTP traffic. It gets a fresh copy of its configruation file each time a new browser session is opened. It also does not save a copy of its configuration file on disk, it is only saved in memory.

As of this writing, the server replies with an encrypted configuration file, which when decrypted contains the strings mentioned above.

Once the user visits any of the websites containing the above-mentioned strings, the hooked APIs intercept and record the HTTP traffic. It logs GET/POST request and grabs full-page data, which may contain cookie and session ID information.

Since this spyware sends the gathered information to the server in real-time, it may hijack user session as a user is logged in. This allows the attacker to conduct transactions even if the unsuspecting user believes he has logged out of the account. This technique also allows the attacker to bypass authentication methods used by banking websites.

The contents of the configuration file may vary.