Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Russian (Gozi) Trojan powering massive ID-theft ring


Top Poster

Status: Offline
Posts: 3757
Date:
Russian (Gozi) Trojan powering massive ID-theft ring


March 21st, 2007

Russian (Gozi) Trojan powering massive ID-theft ring

Posted by Ryan Naraine @ 7:11 am Categories: Patch Watch, Hackers, Microsoft, Browsers, Vulnerability research, Responsible disclosure, Spam and Phishing, Spyware and Adware, Botnets, Exploit code, Black Hat, Viruses and Worms, Data theft, McAfee, Symantec

Researchers at SecureWorks have stumbled upon what appears to be a massive identity theft ring using state-of-the-art Trojan code to steal confidential data from thousands of infected machines in the U.S.

The Trojan, which connects to a server in Russia, has so far pilfered information from more than 5,200 home computers with 10,000 account records. The records retrieved included account numbers and passwords from clients of many of the top global banks and financial services companies (over 30 banks and credit unions were represented), the top US retailers, and the leading online retailers.

"The stolen data also contained numerous user accounts and passwords for employees working for federal, state and local government agencies, as well national and local law enforcement agencies. The stolen data also contained patient medical information, via healthcare employees and healthcare patients, whose username and passwords had been compromised via their home PC," Jackson said.

In a fascinating blow-by-blow description posted online, SecureWorks researcher Don Jackson explained how he reverse-engineered the Trojan (named Gozi) and traced it back to a Russian mothership server that contained information and employee login information for confidential government and law enforcement applications.

This data was being offered for sale by Russian Hackers for an amount totaling over $2 million. The subscription service hawking the stolen information has been disabled but, as of today, the server hosting the data is still receiving stolen data.

  • Steals SSL data using advanced Winsock2 functionality
  • Users state-of-the-art, modularized trojan code
  • Launch attacks through Internet Explorer browser exploits
  • Users customized server/database code to collect sensitive data
  • Offers a customer interface for online purchases of stolen data
  • Steals data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • The black market value of the stolen data is at least $2 million

Even more worrying, Jackson found that the Trojan went undetected for several weeks (and, in some cases, months) by many anti-virus vendors. He also warned that there are two other known Gozi variants making the rounds, which suggests this isn't the last we've heard of Gozi.

As of the publication date, the server used by the Gozi trojan is still up. The server status is as follows:

  • Still processing data from existing trojan infections
  • Still allowing new infections to "register" themselves
  • Still accepting and processing stolen data from new infections
  • The large cache of stolen data has been removed
  • The admin interface used to add subscriptions has been removed
  • The customer interface used to buy stolen data has been removed
  • The server is no longer hosting any executables

(See Jackson's description of the identity-theft operation connected to the Gozi Trojan).



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

WoW!!!

This was a couple clicks from all my diggs, which I listed on my blog today.
Scary stuff.

You folks wanna see some other curious stuff, go find a site called "The HangUP Team Site"

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

A detailed report 

from www.secureworks.com

__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

just a tad dated

Nastier Version of Gozi Trojan on the Loose

New version of Trojan horse steals account numbers, passwords, Social Security numbers, and more, sends data to a server in Russia.

Jaikumar Vijayan, Computerworld

Monday, May 21, 2007 8:00 AM PDT

A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Internet since April 17 and has already stolen personal data from more than 2,000 home users worldwide.

The compromised information includes bank and credit card account numbers (including card verification value codes), Social Security numbers and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted Secure Sockets Layer (SSL) streams and send the stolen information to a server in Russia.

The variant was discovered by Don Jackson, a security researcher at Atlanta-based SecureWorks Inc. who also discovered the original Gozi Trojan horse back in January.

Two core "enhancements"

According to Jackson, the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One of them is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan horse code to evade detection by standard, signature-based antivirus tools. The original Gozi, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.

This version of Gozi also has a new keystroke-logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information, Jackson said.

Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan horse takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.

A service provider steps in

The server to which the stolen data was being sent to was located on a Russian network. The upstream Internet service provider for the network was a company based in Panama, Jackson said. After being informed about the Gozi Trojan horse and its data cache, the service provider appears to have "no-routed" the destination, meaning the rogue server has effectively been cut off from the Internet, he said.

SecureWorks has also contacted law enforcement authorities and informed them about the data cache, Jackson said. In addition, SecureWorks has made a signature for detecting the Gozi version available to other vendors so they can include it in their antivirus products, he said. So far, about 15 out of the top 30 providers of antivirus tools have incorporated the signature into their products and are able to detect and stop Gozi with varying degrees of efficiency, he said.

The original Trojan horse stole more than 10,000 records containing confidential information belonging to about 5,200 home users, companies, government agencies and law enforcement organizations before being detected. The server to which the data was being sent to had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters.

Each customer-generated query had a price associated with it, with transactions being conducted using a currency unity called WMZ, a WebMoney unit that is roughly equivalent to US$1. The server was managed by a Russian group called 76Service, which in turn had purchased the Gozi code from a set of Russian hackers calling themselves the HangUp Team.




__________________

Exposing the sleazery of ebaY and PayPal

 

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard