How Gozi’s First Second Unfolds

The Gozi Trojan has improved dramatically since SecureWorks researcher Don Jackson downloaded the first known sample in February 2007. Still, understanding how that first one installed itself on a system offers a good non-technical primer on malware injection and the techniques used to beat the defenses. (For a full technical report, refer to Jackson’s thorough unraveling of Gozi here: http://www.secureworks.com/research/threats/gozi)

Even before Gozi was downloaded, it had been designed to confuse. Downloaders, the programs that inject the malware, are recognized by anti-intrusion product signatures, so Gozi split up keywords and strings of code in the downloader so that the pattern that defensive technologies normally would recognize didn’t exist. Once Gozi gots by that gate, those keywords and strings of code were reassembled to their proper place.

Then following took place in under one second:

1. In the Windows file where the logged-in user’s custom settings are stored, Gozi writes a file called xx_abcd.exe, where abcd are random characters. This is the data stealing engine.

2. Gozi writes several registry entries, including an xx_id value, a random number that serves as a unique infection ID. All information taken from this computer can then be associated with a dossier on that user’s information.

3. Gozi instructs windows to hide these registry entries, and all associated files including xx_abcd.exe.

4. Gozi unpacks and installs a SOCKS proxy backdoor and assigns a password. This allows the person controlling the Gozi bot to send it updated instructions or add features and functionality to it anonymously and invisibly.

5. Gozi unpacks a default set of options including what URLs it should wake up and monitor for forms it can grab and what IP addresses will serve as this machine’s drop point.

6. Gozi contacts the “mothership” or home server.

7. The mothership tells Gozi to send it all client certificates it can find on the PC, along with the machine’s newly assigned unique ID.

8. Gozi downloads from the mothership an updated set of options to replace or augment the default ones unpacked from the malware. The new instructions might simply override the default options or they might have more specific instructions on new drop sites and other information.

9. Gozi waits.

After that, whenever you start entering form data, it catches it on the fly and passes it off along with the unique infection ID to its drop point, where still more code is sorting the data. This happens whether or not the form data is SSL encrypted. On sites where the little lock on the browser glows, Gozi still works. It intercepts the form data in the vestibule that exists after it’s entered and before it’s encrypted. Jackson spent three days debugging Gozi. He says the first sample he looked at was rudimentary. It didn’t encrypt its own transmissions. Some of the encryption and random character generation it used was weak. It didn’t obfuscate its transmissions using proxy communication effectively. As he thought, later versions improved on these weaknesses dramatically, in the span of only a few months. “They didn’t have to be so advanced with Gozi but now they are,” he says. “It will only get more advanced over time.”