Gozi Trojan leads to Russian data hoard
Log-in, account information of thousands compromised
Computerworld - A Russian Trojan program named Gozi that remained largely undetected for more than 50 days earlier this year has stolen more than 10,000 records containing confidential information belonging to about 5,200 home users.
The compromised information included about 2,000 Social Security numbers, account numbers, user names and passwords that the individuals used to log into bank accounts as well as online retail and e-commerce sites.
The stolen data also included employee log-in information to applications from more than 300 companies and government organizations -- including several law enforcement agencies at the federal and state level -- as well as medical information of health care employees and patients whose usernames and passwords were compromised via their home PCs.
All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: $2 million.
Details of the Trojan and the stolen information were uncovered in January by Don Jackson, a security researcher at SecureWorks Inc., an Atlanta-based managed security service provider. Jackson noted that there are at least two more known variants of Gozi, meaning new attacks are likely.
According to Jackson, an acquaintance reported that several accounts on Web sites he visited from work and home had been hijacked. An investigation of the PC used to access the sites uncovered a previously unclassified malware executable that appeared to have been installed last December.
An analysis of the Trojan program showed that it was designed to steal data from encrypted Secure Sockets Layer (SSL) streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted Web sites, community forums, social networking sites and those belonging to small businesses.
The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, which is a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said.
When Jackson first discovered the Trojan in January, not one of the 30 antivirus products he tested detected the malware specifically. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.
Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled Match 12, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Cybercrime and Hacking White Papers | Webcasts