NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0180 Stealthier Gozi Trojan Version on the Loose:
A stealthier version of a previously known Russian Trojan horse program - called Gozi and circulating on the Net since 17APR - has already stolen personal data from more than 2000 home users worldwide. The compromised information includes bank and credit card account numbers, including CVV (Card Verification Value) codes; Social Security Numbers; and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted SSL streams and send the stolen information to a server based in Russia. SecureWorks Inc. security researcher Don Jackson, who discovered both Trojan variants, said the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One is the use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan code to evade detection by standard signature-based anti-virus tools. This version of Gozi also has a new keystroke logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected system visits a banking Web site or initiates an SSL session. The Trojan takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft's Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites, and those belonging to small businesses.
The original Gozi Trojan stole more than 10,000 records containing confidential information belonging to about 5,200 home users, companies, government agencies, and law enforcement organizations before being detected. The server to which the data was being sent to had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters.
Each customer-generated query had a price associated with it with transactions being conducted using a currency unity called WMZ, a WebMoney unit that is roughly equivalent to one dollar. The server was managed by a Russian group called 76Service, which in turn had purchased the Gozi Trojan code from a set of Russian hackers calling themselves the HangUp Team.
(www.computerworld.com 19MAY07)
Last Modified: Monday, 28-May-2007 09:08:22 EDT