Smart malware steals from SSL streams

A new variant of the Gozi Trojan is stealing data during SSL transactions

A new variant of the Russian Gozi Trojan has been discovered that is capable of stealing data during secure socket layer (SSL) transactions.

The Trojan is one of the most sophisticated yet found and has a variety of features designed to make it difficult to locate. When it detects an SSL transaction it activates and begins key-logging the infected computer to steal account details.

In addition the Trojan makes itself difficult to detect by constantly changing its coding so that signature-based systems will not detect it.

It also has its own compression software and will compress and extract portions of its code to further disguise itself.

"It is bad enough that this new version of Gozi can encrypt and rotate its program code to bypass conventional signature detection," said Geoff Sweeney, chief technical officer at security analysis software company Tier-3.

"But the fact that it can switch a key-logging function on and off when the infected PC reaches an e-banking web page makes it almost undetectable using conventional IT security technology.

"My understanding of this new version is that behavioural analysis technology is the only way of preventing an infected PC user's e-banking data from being logged and compromised."

The Trojan was discovered by Don Jackson, a researcher at SecureWorks in the US, who found that even with a malware signature, not all antivirus packages could detect the Trojan, although a few identified it as a suspicious file.

Jackson back-traced the IP address of the server to which it was sending the information and found that the details of over 5,200 home PC users, with 10,000 account records, had been compromised.

Account and log-in information for applications offered by over 300 organisations had been stolen through these infected home PCs.

"The information contained everything from bank, retail and payment services account numbers, as well as social security numbers and other personal information," said Jackson.

"The records retrieved included account numbers and passwords from clients of many of the top global banks and financial services companies (over 30 banks and credit unions were represented), the top US retailers, and the leading online retailers.

"The stolen data also contained numerous user accounts and passwords for employees working for federal, state and local government agencies, as well national and local law enforcement agencies."