Internet connections were never considered being safe. When you post some text to regular web site it is transferred to remote server unencrypted. Anyone standing between your computer and a server can easily intercept all your traffic. That’s why neither of banks, online shops or other financial online services uses plain, unencrypted connections. All the traffic goes through secure SSL/TLS protocols that provide reliable and unbreakable protection.
But sometimes even secure connections do not help. Attackers can install keyloggers to your computer or take screenshots of your activity. However, that isn’t so easy. They can infect thousands of computers with a specific parasite, but this would result in thousands or even hundreds of thousands screenshots and logs. Obviously, an attack must be targeted.
But taking screenshots and logging keystrokes is quite easy to detect. Furthermore, it’s not a convenient way to steal info from more than one computer. Malware authors are finding new ways to steal highly valuable information transferred through SSL/TLS. Their latest creation is the Gonzi trojan that intercepts network data on the fly, before it is encrypted and transferred through SSL/TLS. The parasite is so sophisticated and new that it went undetected all the time from December 2006 till February 2007. Only now major antivirus products detect this pest.
SecureWorks, a company providing managed security service, has published an in-depth analysis of Gonzi. It has absolutely all the details you should know and even more including some programmers mumbo-jumbo. We provide just a few highlights that should be interesting to you.
- The trojan spreads through exploits. It compromised more than 5200 hosts and 10,000 user accounts on hundreds of sites. Accounts at popular banks, financial services, health care and government sites affected.
The information stolen contained everything from bank, retail and payment services account numbers, as well as social security numbers and other personal information. The records retrieved included account numbers and passwords from clients of many of the top global banks and financial services companies (over 30 banks and credit unions were represented), the top US retailers, and the leading online retailers.
The stolen data also contained numerous user accounts and passwords for employees working for federal, state and local government agencies, as well national and local law enforcement agencies. The stolen data also contained patient medical information, via healthcare employees and healthcare patients, whose username and passwords had been compromised via their home PC.
- Gozi main functionality is stealing all the data transferred through secure SSL/TLS protocols. The parasite intercepts any data before it is encrypted and sent to a secure site.
The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider) using the Winsock2 SPI (Service Provider Interface). It “goes in between” Internet Explorer and the socket used to send the data.
- The parasite uses an integrated rootkit to hide its files and registry entries. It’s hard to detect and remove.
Reference: Gozi Trojan