Researcher Don Jackson initially found the worm after a personal friend received a suspicious message from a large online financial organisation in January 2006.
His favour to a friend ended up leading him into an investigation into a stealthy new Russian Trojan named Gozi and a repository of stolen information from over 5,200 home PC users and 10,000 account records that include name and password information to top global banks, retailers, government organisations, and law enforcement systems.
"When we looked at the PC there were several pieces of malware but one of them wasn’t being detected at all,” Jackson said. “So that prompted an analysis of the code itself.
In analysing the code we realised it was communicating out to a certain IP address and after the code analysis was complete I was very interested in the server address.”
When he looked at the server there was a front end on it and through the analysis of the code he and his colleagues were able to gain access to the data stored on the server.
"From there we pulled down as much data as we could and loaded it up, indexed it and we analysed the data to find out what types of people were affected, how many people were affected, how many home versus corporate users were affected, what kind of data was being siphoned off to the server, and more importantly, what was happening to it once it was there,” he said.
What Jackson found was that the data was being sold illicitly via a subscription service. Though the amount of data available was relatively small, SecureWorks was concerned due to the varied sources from which the data originated.
The sources included financial organizations, but also government sites, job application sites, online retail and more, with accounts from more than 300 organisations.
Jackson said that from the best that he can tell, the variant of Gozi that was able to help skim the information has been in the wild since September 2006. He was able to work with other security firms to develop signatures for the variant starting last month, but he and his team have already found other undetected variants.
Last week Jackson was also able to help disable the subscription service based on Gozi’s stolen information. But as of today the server is still receiving stolen information.
"The server is still up today, but because the malware that it hosts has been taken off it is no longer infecting people and people are no longer able to buy information from the server,” he said.
New Trojan compromises accounts from 300 organisations
By Ericka Chickowski on Mar 21, 2007 3:14AM