A new version of the Gozi Trojan horse has been circulating the Internet since mid-April. The new version was discovered by Don Jackson of Secure Works, who also first discovered the original Gozi earlier this year.
The new version is stealthier because it uses a
new and hitherto unseen “packer” utility that encrypts, mangles, compresses and even deletes portions of the Trojan code to evade detection by standard signature-based anti-virus tools. The original Gozi Trojan, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.
This version of Gozi also has a new keystroke logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session.
Gozi exploits MSIE’s iFrame tags, a vulnerability which Microsoft had already previously patched. Thirty top anti-virus providers have been supplied signature information from Secure Works, and half of them have integrated the signatures in their products.
The ISP hosting the server to which logged data were being sent has no-routed the destination. The original variant is believed to have affected over 5000 home users. The new variant is believed to have affected another 2500. The server was managed by a Russian group called 76service who purchased the virus code from the Russian criminal group known as HangUp Team (or HT), who are known to have released malware like Backdoor.Padodor before.