New and improved version of Gozi Trojan horse on the loose
Stealthier Russian malware on the loose since April
Computerworld - A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Internet since April 17 and has already stolen personal data from more than 2,000 home users worldwide.
The compromised information includes bank and credit card account numbers (including card verification value codes), Social Security numbers and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted Secure Sockets Layer (SSL) streams and send the stolen information to a server in Russia.
Two core "enhancements"
According to Jackson, the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One of them is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan horse code to evade detection by standard, signature-based antivirus tools. The original Gozi, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.
This version of Gozi also has a new keystroke-logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information, Jackson said.
Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan horse takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.
A service provider steps in
The server to which the stolen data was being sent to was located on a Russian network. The upstream Internet service provider for the network was a company based in Panama, Jackson said. After being informed about the Gozi Trojan horse and its data cache, the service provider appears to have "no-routed" the destination, meaning the rogue server has effectively been cut off from the Internet, he said.
SecureWorks has also contacted law enforcement authorities and informed them about the data cache, Jackson said. In addition, SecureWorks has made a signature for detecting the Gozi version available to other vendors so they can include it in their antivirus products, he said. So far, about 15 out of the top 30 providers of antivirus tools have incorporated the signature into their products and are able to detect and stop Gozi with varying degrees of efficiency, he said.
The original Trojan horse stole more than 10,000 records containing confidential information belonging to about 5,200 home users, companies, government agencies and law enforcement organizations before being detected. The server to which the data was being sent to had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters.
Each customer-generated query had a price associated with it, with transactions being conducted using a currency unity called WMZ, a WebMoney unit that is roughly equivalent to $1. The server was managed by a Russian group called 76Service, which in turn had purchased the Gozi code from a set of Russian hackers calling themselves the HangUp Team.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts