Gozi Trojan - Targets Internet Explorer Vulnerabilities even in SSL mode - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Gozi Trojan - Targets Internet Explorer Vulnerabilities even in SSL mode

There is limited information from AV vendors currently, but several excellent write-up on the threat itself is noted below. The SSL/Winsocks interface used by the trojan would make even trusted server connections unsafe for infected users. Users should be careful in all apsects of Internet access (e.g., email, IM, websites, etc).

CERT: Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities
http://www.us-cert.gov/current/current_activity.html#gozi

QUOTE: The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:

- Install anti-virus software, and keep its virus signature files up-to-date.
- Review the Securing Your Web Browser document.

Secure Works - Excellent In-Depth Analysis
http://www.secureworks.com/research/threats/gozi/?threat=gozi

QUOTE: A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million

Additonal Articles:

ISC: Gozi Trojan Steals SSL Encrypted Data for Fun and Profit
http://isc.sans.org/diary.html?storyid=2498

Russian (Gozi) Trojan powering massive ID-theft ring
http://blogs.zdnet.com/security/?p=133

Gozi Trojan Data Up For Sale Using Webmoney
http://digitalmoneyworld.com/gozi-trojan-data-up-for-sale-using-webmoney/

Google Links
http://www.google.com/search?hl=en&q=gozi+trojan

Posted: Mar 24 2007, 01:28 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.