The variant is similar to the original Gozi virus, detected in January, but has two new features, including a packing utility that encrypts, compresses and deletes sections of the virus code to evade detection by signature-based anti-virus software.
The trojan also has an integrally-coded keylogging function designed to capture and steal personal data, with the ability to snatch information from encrypted SSL streams.
The keylogging feature activates when an affected user visits a financial website, according to reports.
Information compromised by the virus includes bank and credit card account numbers, online payment details, usernames and passwords.
Don Jackson, a researcher at SecureWorks, uncovered the trojan variant, which he said sends the stolen data to a server in Russia.
The variant first attacked victims on April 17, and has stolen the account information of 2,000 home PC users, according to SecureWorks.
The trojan is believed to have stolen $2 million of financial and personal information since researchers discovered it in February, a SecureWorks spokeswoman said Friday.
Anti-virus vendors will have considerable trouble detecting the malware because of its keylogging function, according to one company.
"It is bad enough that this new version of Gozi can encrypt and rotate its program code to bypass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking webpage makes it almost undetectable using conventional IT security technology," said Geoff Sweeney, co-founder and CTO at behavioral analysis software vendor Tier-3.
Jackson discovered the worm in January after a friend received a suspicious message from a large online financial organisation. His investigation uncovered a repository of stolen information from more than 5,200 home users and 10,000 account records – including the names and password information for top global banks, retailers, government organisations and law enforcement networks.
Gozi variant contains keylogger function
By
Fiona Raisbeck
on
May 21, 2007 4:09PM

A fresh variant of the Russian Gozi virus has attacked thousands of computers in various countries in the past month.
Got a news tip for our journalists? Share it with us anonymously here.
Sponsored Whitepapers
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future

Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection