Banking Trojan breaks captcha to spread bot

The Cridex data-stealing Trojan is using spammer techniques to break captcha challenges to open webmail accounts and propagate itself, according to security company Websense

A banking Trojan now spreading over the internet is able to get past captcha security challenges to send out emails and propagate itself, according to security company Websense Labs.

The Cridex Trojan variant infects a Windows PC when a malicious link in an email is clicked, Websense said in a blog post on Monday. The shortened link goes to a malware webkit with several components, including a data-gathering tool and a propagation module that stealthily opens webmail accounts.

Once the accounts are set up, Cridex sends out malicious emails to try to compromise more computers. To do this, it uses captcha-cracking techniques more commonly associated with spammers, according to Websense.

"According to our findings, captcha challenges in some cases can be broken with the help of a captcha-breaking server, which allows the bot to register a mail account or address after only a few attempts," the company said.

The bot sends harvested captcha-challenge images to a server, which processes the image and returns JavaScript Object Notation (JSON) text to fill in the webmail application form. JSON is a non-language specific text format.

In a video, Websense researchers showed the bot successfully breaking a Yahoo webmail sign-up captcha after six attempts.

Spammers have used captcha-breaking techniques for a number of years. In February 2008, Websense discovered Windows Live Mail and Gmail being targeted by bots that were capable of signing themselves up.

The payoff for the Trojan is the sensitive information gathered once it has been downloaded to a computer. It harvests data from web sessions, targeting US banking services and PayPal — giving it potential access to financial account details — as well as sites such as Facebook and Twitter.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.