Gozi Trojan Analysis

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.


A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

* Steals SSL data using advanced Winsock2 functionality
* State-of-the-art, modularized trojan code
* Spread through IE browser exploits
* Undetected for weeks, months by many AV vendors
* Customized server/database code to collect sensitive data
* Customer interface for on-line purchases of stolen data
* Accounts compromised by stealing data primarily from infected home PCs
* Accounts at top financial, retail, health care, and government services affected
* Data's black market value at least $2 million

There are two other known variants. New variants, similar attacks inevitable. Gozi Trojan - Research - SecureWorks

Linked by shanmuga Friday, 23rd March 2007 1:13AM