The Trojan, which connects to a server in Russia, has so far pilfered information from more than 5,200 home computers with 10,000 account records. The records retrieved included account numbers and passwords from clients of many of the top global banks and financial services companies (over 30 banks and credit unions were represented), the top US retailers, and the leading online retailers."The stolen data also contained numerous user accounts and passwords for employees working for federal, state and local government agencies, as well national and local law enforcement agencies. The stolen data also contained patient medical information, via healthcare employees and healthcare patients, whose username and passwords had been compromised via their home PC," Jackson said.
In a fascinating blow-by-blow description posted online, SecureWorks researcher Don Jackson explained how he reverse-engineered the Trojan (named Gozi) and traced it back to a Russian mothership server that contained information and employee login information for confidential government and law enforcement applications.
This data was being offered for sale by Russian Hackers for an amount totaling over $2 million. The subscription service hawking the stolen information has been disabled but, as of today, the server hosting the data is still receiving stolen data.
- Steals SSL data using advanced Winsock2 functionality
- Users state-of-the-art, modularized trojan code
- Launch attacks through Internet Explorer browser exploits
- Users customized server/database code to collect sensitive data
- Offers a customer interface for online purchases of stolen data
- Steals data primarily from infected home PCs
- Accounts at top financial, retail, health care, and government services affected
- The black market value of the stolen data is at least $2 million
Even more worrying, Jackson found that the Trojan went undetected for several weeks (and, in some cases, months) by many anti-virus vendors. He also warned that there are two other known Gozi variants making the rounds, which suggests this isn't the last we've heard of Gozi.
As of the publication date, the server used by the Gozi trojan is still up. The server status is as follows:
- Still processing data from existing trojan infections
- Still allowing new infections to "register" themselves
- Still accepting and processing stolen data from new infections
- The large cache of stolen data has been removed
- The admin interface used to add subscriptions has been removed
- The customer interface used to buy stolen data has been removed
- The server is no longer hosting any executables
(See Jackson's description of the identity-theft operation connected to the Gozi Trojan).