Gozi Trojan - Targets Internet Explorer Vulnerabilities even in SSL mode
There is limited information from AV vendors currently, but several excellent write-up on the threat itself is noted below. The SSL/Winsocks interface used by the trojan would make even trusted server connections unsafe for infected users. Users should be careful in all apsects of Internet access (e.g., email, IM, websites, etc).
CERT: Gozi Trojan Targets Microsoft Internet Explorer Vulnerabilities
QUOTE: The Trojan is reportedly spread via IE browser exploits and has primarily targeted infected home computers. While new and sophisticated exploits can be difficult to defend against, US-CERT encourages users to take the following preventative measures to help mitigate browser-based security risks:
- Install anti-virus software, and keep its virus signature files up-to-date.
- Review the Securing Your Web Browser document.
Secure Works - Excellent In-Depth Analysis
QUOTE: A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.
- Steals SSL data using advanced Winsock2 functionality
- State-of-the-art, modularized trojan code
- Spread through IE browser exploits
- Undetected for weeks, months by many AV vendors
- Customized server/database code to collect sensitive data
- Customer interface for on-line purchases of stolen data
- Accounts compromised by stealing data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- Data's black market value at least $2 million
ISC: Gozi Trojan Steals SSL Encrypted Data for Fun and Profit
Russian (Gozi) Trojan powering massive ID-theft ring
Gozi Trojan Data Up For Sale Using Webmoney