Russian (Gozi) Trojan powering massive ID-theft ring

Russian (Gozi) Trojan powering massive ID-theft ring

Summary: Researchers at SecureWorks have stumbled upon what appears to be a massive identity theft ring using state-of-the-art Trojan code to steal confidential data from thousands of infected machines in the U.S.

Researchers at SecureWorks have stumbled upon what appears to be a massive identity theft ring using state-of-the-art Trojan code to steal confidential data from thousands of infected machines in the U.S.

The Trojan, which connects to a server in Russia, has so far pilfered information from more than 5,200 home computers with 10,000 account records. The records retrieved included account numbers and passwords from clients of many of the top global banks and financial services companies (over 30 banks and credit unions were represented), the top US retailers, and the leading online retailers.

"The stolen data also contained numerous user accounts and passwords for employees working for federal, state and local government agencies, as well national and local law enforcement agencies. The stolen data also contained patient medical information, via healthcare employees and healthcare patients, whose username and passwords had been compromised via their home PC," Jackson said.

In a fascinating blow-by-blow description posted online, SecureWorks researcher Don Jackson explained how he reverse-engineered the Trojan (named Gozi) and traced it back to a Russian mothership server that contained information and employee login information for confidential government and law enforcement applications.

This data was being offered for sale by Russian Hackers for an amount totaling over $2 million. The subscription service hawking the stolen information has been disabled but, as of today, the server hosting the data is still receiving stolen data.

  • Steals SSL data using advanced Winsock2 functionality
  • Users state-of-the-art, modularized trojan code
  • Launch attacks through Internet Explorer browser exploits
  • Users customized server/database code to collect sensitive data
  • Offers a customer interface for online purchases of stolen data
  • Steals data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • The black market value of the stolen data is at least $2 million 

Even more worrying, Jackson found that the Trojan went undetected for several weeks (and, in some cases, months) by many anti-virus vendors. He also warned that there are two other known Gozi variants making the rounds, which suggests this isn't the last we've heard of Gozi.

As of the publication date, the server used by the Gozi trojan is still up. The server status is as follows:

  • Still processing data from existing trojan infections
  • Still allowing new infections to "register" themselves
  • Still accepting and processing stolen data from new infections
  • The large cache of stolen data has been removed
  • The admin interface used to add subscriptions has been removed
  • The customer interface used to buy stolen data has been removed
  • The server is no longer hosting any executables  

(See Jackson's description of the identity-theft operation connected to the Gozi Trojan).

Topics: Data Centers, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ryan you forgot to mention one thing ?

    What type of home pc was invaded ?

    a:was it the Windows platform
    b:was it the mac platform
    c:was it the linux platform
    d:all of the above

    I'm betting it was the a: platform .
    • Yawn.

      Oh, look: another "helpfull", "intelligent" post from our resident MBF, [i]Intellihence[/i]...
      John Zern
    • Which Windows? 98, XP, 2000 ?

      Does it (Gozi) work in all versions of Windows?
  • Ryan I forgot to mention one thing .

    Thanks for bringing up the story about the X-Box accounts being hacked/owned . You really made my day . I love it when all the Micosoft Zealots disappear into the woodwork where they belong .

    P.S. Tell George Ou I'm still waiting for the MacBook P.O.C.

    Mac OS X & Linux Boxes RULE !!!
    • Gozi

      Wouldn't you know, you were right. Option A on your Butcher's Board

      An analysis of the Trojan program showed that it was designed to steal data from encrypted Secure Sockets Layer (SSL) streams and send it to a server based in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer. The buffer overflow flaw basically allows attackers to take complete control of a compromised system. In this case, the users compromised by the Gozi Trojan appear to have visited several hosted Web sites, community forums, social networking sites and those belonging to small businesses.

      and the link:

      And as you said, Silence of the Lambs or is that lemmings?
  • Poor windows

    So why do people always pick on windows?? Everyone thinks mac and linux are so perfect but if you think about it who would want to write a virus to attack a small portion of the market. If you spend the time you would send it after a windows machine due to the number to number ratio it has over you beloved machines. Plus it was most likely a linux person who wrote the virus.
    • Poor users rather

      I agree that writing a virus for the windows platform gives you a bigger audience, but Microsoft does have a lot of sloppy code and these buffer overflow problems plague pretty much every aspect of their operating systems and other software.

      Your other opinion that it was written by a Linux user is nothing but childish. So what if it was a Linux user that wrote it. That doesn't matter one bit, the fact that the hole exists and that somebody exploited it does matter, the rest is meaningless.
  • link
    Update victim
    • Excellent info

      Thanks. Considering that this thing relies on having Administrator privileges to write to the system portions of the registry (not to mention the rootkit type behavior), all my XP machines have been immune to this for years now. It would appear that, once again, 30 seconds of up-front configuration trumps all the anti-virus scanners in the world.
  • Pretty clever server

    "The server is no longer hosting any executables"

    and yet it still receives updates from infected machines. That's real hard to do without executables. I wonder what else has *not* been done to that server...

    Is the original design of the computer so flawed that it is susceptible to these disaster attacks?The designers of the computer and operating systems did not see any vulnerable areas in the design at all?Computers would have to pass rigorous Government testing at a planetary level.To attract the parts makers the computer manufacturer would have to present a flawless machine.Something has happened to all computers to make them susceptible to a virus attack.End computer virus.
  • Cut 'em off!

    Does anyone else agree that it's time the international community cuts the wires to Russia? Let them live on dial-up!
  • The Sky is falling -- again

    Gee what do ya know. There are criminals out there who want to steal from us. Protect yourself by hiding in the house with a gun or fight back with the same weapon they use, the internet. Swamp them with false information. Con men are the biggest suckers in the world.
  • Gozi trojan fix?

    Running Vista here on a home network and DSL. Am i vunerable. If so, how to get rid of it. Anyone found which software will clean it from the puter?