31 January 2012

Video: New Banking Trojan Caught Breaking CAPTCHA

A new banking Trojan variant can bypass CAPTCHA, as demonstrated by a video posted today by security firm Websense on their Security Labs blog.

Once downloaded to the machine, Cridex, a data-stealing Trojan, will track content from various web forms. Cridex also downloads a ‘spamming module’ to the infected machine that enables the botmaster to send malicious e-mails to boost infection rates. This module, as shown in the video, utilizes a CAPTCHA-breaking server that helps the botmaster circumvent any CAPTCHA after a few tries, allowing the attacker to create a new Yahoo e-mail account.

The CAPTCHA attempts are sourced from a series of challenge images (embedded in HTTP) that have been gathered from the e-mail registration form and uploaded to the remote CAPTCHA-breaking server.

For more on the methods used by Cridex and the exact steps of the CAPTCHA-breaking process, head to Websense.