SecureWorks researcher discovers flexible Russian trojan, cache of stolen data from 10,000 accounts

March 21, 2007

A new trojan with multiple variants and the ability to get around SSL protection and circumvent multifactor authentication has managed to steal authentication information for accounts of more than 300 companies and government organizations, a researcher with SecureWorks told SCMagazine.com today.

Researcher Don Jackson found the worm after a friend received a suspicious message from a large online financial organization in January 2006. His favor for a friend lead him to investigate a stealthy new Russian trojan named Gozi and a repository of stolen information from more than 5,200 home PC users and 10,000 account records — including names and password information for top global banks, retailers, government organizations and law enforcement systems.

"When we looked at the PC, there were several pieces of malware, but one of them wasn’t being detected at all," Jackson said. "So that prompted an analysis of the code itself. In analyzing the code, we realized it was communicating out to a certain IP address, and after the code analysis was complete, I was very interested in the server address."

Jackson and his colleagues were then able to gain access to the data stored on the server.

"From there, we pulled down as much data as we could and loaded it up, indexed it and analyzed the data to find out what types of people were affected, how many people were affected, how many home-versus-corporate users were affected, what kind of data was being siphoned off to the server, and more importantly, what was happening to it once it was there," he said.

Jackson found that the data was being sold illicitly via a subscription service. Though the amount of data available was relatively small, SecureWorks was concerned because the data originated from various sources, including financial organizations, government sites, job search sites and online retail — 300 organizations in all.

Jackson said that the variant of Gozi that was able to skim the information has been in the wild since September 2006. He was first able to work with other security firms to develop signatures for the variant last month, but he and his team have found other undetected variants.

Last week, Jackson disabled the subscription service based on Gozi’s stolen information, but the server is still receiving stolen data.

"The server is still up today, but because the malware that it hosts has been taken off, it is no longer infecting people, and people are no longer able to buy information from the server," he said.

Click here to email West Coast Bureau Chief Ericka Chickowski.

prestitial ad