SpannerITWks
Premium
join:2005-04-22
| Gozi Trojan - analysis of sophisticated RK/Trojan
From the www -
-
Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.
-
When scanned by 30 leading anti-virus products, none of them detected malware specifically; however, several of them using heuristics detected it as a "suspicious" file or "generic" threat based on the fact that it was compressed by a common malware packer, a compression utility commonly used shrink and hide malicious code in executable (EXE) files.
etc -
»www.secureworks.com/research/thr···eat=gozi
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
SpannerITWks
Premium
join:2005-04-22
| Just seen it in here - »Researcher uncovers data thief's cache - Sorry cudni !
Nice catch,
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
|  If you find out more about that one..let us know
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Psicop
More human than human
Premium
join:2005-12-21
| reply to SpannerITWks
Apparently they are making some money out of it:
»www.computerworld.com/action/art···myId=125
Vulgar thieves. |
|
avselect
 from:
Name Game 
| reply to SpannerITWks
Would be interesting to know which of a/v vendors did NOT initially detect this. Obviously only those few with advanced heuristics detection caught this in the beginning. IMO, anyone looking for a good a/v needs to be looking at this aspect. This is real world stuff. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to SpannerITWks
Name Game
As requested, i've found out a bit more about it.
Seems like this Gozi nasty has been around for a lot longer than some realised !
BOClean added - xx_rplq.exe - to it's definitions on 2006-10-23 as part of the SPYSCAM series.
xx_rplq.exe - I have been having trouble getting rid of trojan small.bs - »www2b.abc.net.au/science/techtal···898.shtm - 28/01/2007
xx_rplq.exe = Trojan-PSW.Win32.Small.bs - »research.sunbelt-software.com/th···id=53465
Just for eg, one of the file traces in the sunbelt data is - au_biz_new3.exe - Which leads to - »uk.trendmicro-europe.com/consume···MALL.DON - Description created: 2006-09-29
Apparently - www.malware-research.co.uk - obtained and sent this nasty to all known vendors last year in October. So i'm not sure why it's been undetected for so long by so many of them !
avselect
Yes it would be nice to know which ones where on the ball with this, or not !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to SpannerITWks
Fascinating analysis. The malware author is obviously so talented, it's too bad he's working for the dark side.
I'm curious about how the infection initially happened. The article says:
...deleted Internet Explorer cache data was recovered which indicated the user had visited the alchemylab.com web site which hosted code similar to the following: [Javascript shown here]
Which writes the following content to the current web page: [iframe here]
That page simply contains another IFRAME: [iframe here]
The page included in this last IFRAME contained JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server.
So apparently, a user who has ActiveX turned on can be infected without any user action beyond viewing a web page - a true "drive-by". However, I don't know that this can happen on Firefox, or on IE without ActiveX: the user would have to download and run an executable with some awareness and opportunity to avoid it.
Either browser will retrieve a remote file of any kind with XMLHttp, and this may be unnoticeable. However, if it's an executable, then absent ActiveX, I believe either browser will present a dialog showing information about the file, and asking whether the user wants to download it. And then even if the user downloads it, then in the absence of ActiveX there still won't be any automatic execution.
Can anyone shed more light on this question? |
|
Don Jackson
@secureworks.net
from:
Name Game
| reply to SpannerITWks
said by SpannerITWks :xx_rplq.exe = Trojan-PSW.Win32.Small.bs - » research.sunbelt-software.com/th···id=53465... Apparently - www.malware-research.co.uk - obtained and sent this nasty to all known vendors last year in October. So i'm not sure why it's been undetected for so long by so many of them ! Here's a comaprison between this and Trojan.Small.BS (as detected by major AV vendors):
1. It appears to be designed with a smaller client "footprint" (fewer registry keys, files, does not need to disable the Security Center service).
2. Also, it includes the novel ability to sniff JavaScript-based HTTP requests (the type used by used in AJAX apps) as a Layered Service Provider, circumventing SSL protections.
3. It's more configurable, too, allowing the URLs for targeted domains to be specified as options, for example.
4. It appears the proxy is different slightly (SOCKS5?) than the SOCKS4 proxy that Small.BS uses. I have not paid much attention to that yet.
The xx_options and other xx_* registry keys used by Gozi are not removed by cleaning procedures, "Damage Control", or "Outbreak Prevention" templates -- I'm borrowing some trademarks here -- for the Small.BS trojan family. One can tell if Gozi was the culprit, after cleaning, by looking for these artifacts. One may not see them before cleaning and rebooting because the rootkit functions used by Gozi to hide them. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to SpannerITWks
Thank You Don for the additional info..
»scmagazine.com/us/news/article/6···accounts
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
