NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0187 Gozi Trojan combines attack and deception capabilities:
Internet security firm SecureWorks has analyzed a new variant of the Gozi banking Trojan and identified a potent combination of capabilities. The Trojan is a member of a growing population of credentials theft tools that act as Layered Service Providers (LSPs), inserting themselves into the user's connection to the internet to steal of modify information. An LSP is a Windows Sockets 2 Service Provider Interface mechanism whereby a legitimate service such as a personal firewall can insert itself into the TCP/IP stack enabling it to monitor and manipulate TCP/IP traffic. However a malicious service can do the same, sending selected data to an external malicious target.
The new variant installs itself between the browser and the point where encryption is applied to the data in a supposedly secure SSL session, where it can snoop on the data as if there were no encryption. But it also hooks into the JavaScript engine to sniff AJAX sessions, whereby a JavaScript/XML web interface exchanges small data fragments instead of updating whole pages - a technique said to be widely used for secure banking credentials exchanges.
SecureWorks suggest that virtual two-factor authentication such as the sitekey system used by many banks - where the user is required to pick a pre-chosen image (sitekey) using the mouse - may not counter this new threat. Until now, attackers have reportedly relied on less-than-ideal techniques such as screen capture to breach the sitekey security. But if the interface uses AJAX, the images are identifiable individually by capturing the separate AJAX request that refers to each image. The JavaScript sniffer can grab and transmit these without resorting to keyboard or screen capture, and the results can often be analyzed to yield the correct answer.
Thei Trojan apparently infects users via a malicious web page with iframes containing JavaScript and ActiveX components that download a native executable. It seems to have stealth and rootkit capabilities which succeeded in evading leading anti-virus tools for at least a month, including the abilities to turn itself on and off depending on whether a banking site is being accessed, and to conceal its registry entries.
In an undercover probe conducted by SecureWorks, the investigator was told to join a secure IRC channel and offered tool kits for between $1,000 and $2,000, including customized versions of the Trojan.
(www.heise-security.co.uk 22MAY07)
Last Modified: Sunday, 03-Jun-2007 11:00:12 EDT