Gozi variant contains keylogger function

By on
Gozi variant contains keylogger function

A fresh variant of the Russian Gozi virus has attacked thousands of computers in various countries in the past month.

The variant is similar to the original Gozi virus, detected in January, but has two new features, including a packing utility that encrypts, compresses and deletes sections of the virus code to evade detection by signature-based anti-virus software.

The trojan also has an integrally-coded keylogging function designed to capture and steal personal data, with the ability to snatch information from encrypted SSL streams.

The keylogging feature activates when an affected user visits a financial website, according to reports.

Information compromised by the virus includes bank and credit card account numbers, online payment details, usernames and passwords.

Don Jackson, a researcher at SecureWorks, uncovered the trojan variant, which he said sends the stolen data to a server in Russia.

The variant first attacked victims on April 17, and has stolen the account information of 2,000 home PC users, according to SecureWorks.

The trojan is believed to have stolen $2 million of financial and personal information since researchers discovered it in February, a SecureWorks spokeswoman said Friday.

Anti-virus vendors will have considerable trouble detecting the malware because of its keylogging function, according to one company.

"It is bad enough that this new version of Gozi can encrypt and rotate its program code to bypass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking webpage makes it almost undetectable using conventional IT security technology," said Geoff Sweeney, co-founder and CTO at behavioral analysis software vendor Tier-3.

Jackson discovered the worm in January after a friend received a suspicious message from a large online financial organisation. His investigation uncovered a repository of stolen information from more than 5,200 home users and 10,000 account records – including the names and password information for top global banks, retailers, government organisations and law enforcement networks.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
containsfunctiongozikeyloggersecurityvariant

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

Most Read Articles

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear
NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless
NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification
Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

Digital Nation

Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play

Log In

  |  Forgot your password?