Gozi Trojan Harvests Huge Data Haul

A Russian Trojan program named Gozi that remained largely undetected for more than 50 days earlier this year has stolen more than 10,000 records containing confidential information belonging to about 5,200 home users.

The compromised information included about 2,000 Social Security numbers, account numbers, user names and passwords that the individuals used to log into bank accounts as well as online retail and e-commerce sites.

The stolen data also included employee log-in information to applications from more than 300 companies and government organizations—including several law enforcement agencies at the federal and state level—as well as medical information of health-care employees and patients whose user names and passwords were compromised via their home PCs.

All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: US$2 million.

Details of the Trojan and the stolen information were uncovered in January by Don Jackson, a security researcher at SecureWorks, an Atlanta-based managed security service provider. Jackson noted that there are at least two more known variants of Gozi, meaning new attacks are likely.

According to Jackson, an acquaintance reported that several accounts on websites he visited from work and home had been hijacked. An investigation of the PC used to access the sites uncovered a previously unclassified malware executable that appeared to have been installed last December.

An analysis of the Trojan program showed that it was designed to steal data from encrypted SSL streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft’s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted websites, community forums, social networking sites and those belonging to small businesses.

The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters. Each customer-generated query had a price associated with it, Jackson said. The currency unit used on the site was WMZ, which is a WebMoney unit roughly equivalent to the U.S. dollar, Jackson said.

When Jackson first discovered the Trojan in January, not one of the 30 antivirus products he tested detected the malware specifically. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.

Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled March 12, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.

-Jaikumar Vijayan, Computerworld

Join the discussion
Be the first to comment on this article. Our Commenting Policies