In 2005 I presented in CNASI conference a PoC trojan that uses the authentication from a valid web session from the user to inject it's own transactions. I showed that even some strong authentications systems could be fooled by that. I'll reproduce that code on our Black Hat presentation as part of the trends on botnets, this specific case on their "features" sets.

It was interesting to see that the Storm Worm is doing something very similar to what I showed before to inject it's content on webmail and blog systems, avoiding CAPTCHA tests. Together with content being presented by Jose Nazarion on BH DC, this is another of our predictions appearing on new malware.