The Italian Honey Project

The image below (Picture 1) shows this CAPTCHA breaking malware’s ecosystem, which we’ll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit. Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server. [..]

via Trojan caught on camera shows CAPTCHA is still a security issue – Security Labs.