The variant is similar to the original Gozi virus, detected in January, but has two new features, including a packing utility that encrypts, compresses and deletes sections of the virus code to evade detection by signature-based anti-virus software.
The trojan also has an integrally-coded keylogging function designed to capture and steal personal data, with the ability to snatch information from encrypted SSL streams.
The keylogging feature activates when an affected user visits a financial website, according to reports.
Information compromised by the virus includes bank and credit card account numbers, online payment details, usernames and passwords.
Don Jackson, a researcher at SecureWorks, uncovered the trojan variant, which he said sends the stolen data to a server in Russia.
The variant first attacked victims on April 17, and has stolen the account information of 2,000 home PC users, according to SecureWorks.
The trojan is believed to have stolen $2 million of financial and personal information since researchers discovered it in February, a SecureWorks spokeswoman said Friday.
Anti-virus vendors will have considerable trouble detecting the malware because of its keylogging function, according to one company.
"It is bad enough that this new version of Gozi can encrypt and rotate its program code to bypass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking webpage makes it almost undetectable using conventional IT security technology," said Geoff Sweeney, co-founder and CTO at behavioral analysis software vendor Tier-3.
Jackson discovered the worm in January after a friend received a suspicious message from a large online financial organisation. His investigation uncovered a repository of stolen information from more than 5,200 home users and 10,000 account records – including the names and password information for top global banks, retailers, government organisations and law enforcement networks.
Gozi variant contains keylogger function
By Fiona Raisbeck on May 21, 2007 4:09PM