A nasty Trojan
A very nasty piece of work has been floating around the last couple weeks.
Don Jackson at
Secure Works did a very through examination and analysis:
Gozi Trojan
Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.
Highlights
A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.
- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million
There are two other known variants. New variants, similar attacks inevitable.
One person's suggestion was to put the entire nation of Russia on dialup for the next ten years until they learned their lesson and started policing themselves a little better. The majority of the spam coming into this site originates from there or links to a Russian server.
Posted by DaveH at March 22, 2007 8:54 PM