Posted on 05/25/2007 2:34:07 PM PDT by Ernest_at_the_Beach
A new variant of the Russian Trojan Gozi, armed with keylogging functionality, is making the rounds again. What makes this time different is that the Trojan can scramble itself to avoid detection by your anti-virus software.
The Trojan is believed to have been spreading since April 17. Like the original, which was discovered earlier in 2007, the new version of Gozi steals data from encrypted SSL (Secure Sockets Layer) streams. The latest variant was uncovered May 7 by Don Jackson, a security researcher at SecureWorks in Atlanta.
This does not sound good....
Ping.
Yikes!
What’s “Anti-Virus Software?”
******************************EXCERPT******************************
May 19, 2007 (Computerworld) -- A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Internet since April 17 and has already stolen personal data from more than 2,000 home users worldwide.
The compromised information includes bank and credit card account numbers (including card verification value codes), Social Security numbers and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted Secure Sockets Layer (SSL) streams and send the stolen information to a server in Russia.
The variant was discovered by Don Jackson, a security researcher at Atlanta-based SecureWorks Inc. who also discovered the original Gozi Trojan horse back in January.
Two core "enhancements"
According to Jackson, the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One of them is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan horse code to evade detection by standard, signature-based antivirus tools. The original Gozi, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.
This version of Gozi also has a new keystroke-logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information, Jackson said.
Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan horse takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.
A service provider steps in
The server to which the stolen data was being sent to was located on a Russian network.
Are you logged ON?
Are you series?
Linux. ‘Nuff said.
That’s what I run.
“What’s “Anti-Virus Software?””
It protects us from the bird flu..
My sister got the bird flu after being bitten.
There is another one also — maybe even worse. The trojan, Kardphisher, renders a popup to the user, saying their software has been activated by another person. It then says that, in order to maintain activation, they must buy it. It asks not only for credit card information, but the PIN and 3-digit security number as well.
The popup says it comes from Microsoft, but it does not. The sender wants your credit card info.
Anyone who uses a credit card on the Internet should know that you should never type your number in sequentially the way it appears on the card.
You should break it up into pieces and use the mouse to relocate the cursor. NEVER THE ARROW KEYS - keyloggers can read arrow key movements, but so far... not mouse movements.
So say, for example, that your credit card number was: 123 456 789;
You should type first 456; then use the mouse to move the cursor in front of it and type 123; then use the mouse one more time and type 789.
This is simplified, but a simple procedure of NEVER typing a number in the order it appears on your credit card, will defeat any keyloggers tha currently exist.
I have helped a friend install a keylogger once during a messy divorce, and it’s amazing what information you can capture! It also makes it easy to figure out a way to defeat such software.
NEVER TYPE IN YOUR CC NUMBER WITHOUT SCRAMBLING IT AS I DESCRIBED. It’s not a big hassle, and it gives you an added layer of security. Even if someone did sneak a keylogger onto your machine somehow, they would not get a useful CC number if you follow this simple trick.
BUMP!
Interesting advice! Thanks!
I can think of some deliciously useful variants of that!
Many thanks.
Interesting technique that may work against some keyloggers, but the program in question is also apparently scarfing SSL session information too, so that wouldn't work if you're infected by it.
Thank God I use Linux.
bump
That’s a good tip. How do you scan your system to find out if you have been infected? Symantec has a couple articles about it but nothing to indicate they have a fix.
I love My *ping!* Knoppix Linux!
How about copy/paste? Or having software that auto-fills?
Great tip! Wish I had considered that previously since you are correct that it takes little effort to implement such a simple preventative measure.
Excellent info
ping
ping
I had a bird in the flue once, and was virally henpecked until I got rid of it.
UBMP!
Thanks Ernest!
Piece-a-cake, just cover your keys in tin foil.
it's Friday, ok? :)
So, where is the tool to detect and remove this trojan?
Well....see post #22.
No fix, we’re DOOMED!
Thank you so much for the advice!
I don’t understand, it can decrypt the SSL packets and steal the data or is just a key logger enabled once an SSL connection has been established?
If it can decode and read SSL packets, it doesn’t need to even be on your PC, it just needs to sniff packets on the Internet; granted it’s a lot of traffic but look for destination addresses in the header of financial institutions.
When I had a shared cable modem connection, I put a virgin but patched PC right on the network and ran a Sniffer and was amazed at what I could see. Luckily (or unluckily since I can’t setup a Citrix server at home) my DSL stops outside packets at the next hop router.
I had the same thought - I don't see how a key logger could pick that up. Personally I use whisper (I think a Freeper turned me on to that a long time ago) to store then copy and paste user names and passwords. I don't like autofill for sensitive info as browser password security is not very good. If your computer is compromised then your autofill info may be as well.
I also use Free key scrambler
What a great idea. Thanks for posting it.
Thanks much.
FR *bookmark* , and thanks Bon mots
Will you post a fix announcement to this thread?
If I see one...or someone else can also...watch the keyword list for a new thread....that someone might start on the topic....
OK
Great tip, thanks.
Thanks Bon mots.
Note to self:
‘So say, for example, that your credit card number was: 123 456 789;You should type first 456; then use the mouse to move the cursor in front of it and type 123; then use the mouse one more time and type 789. This is simplified, but a simple procedure of NEVER typing a number in the order it appears on your credit card, will defeat any keyloggers that currently exist.’
Copy/paste also works for simple keyloggers. But if someone actually gets complete control of your PC - well, then they might find the files where you hide the passwords. I do use copy and paste for one of my online banking accounts. A keylogger will not see it. Eventually, some invidious person may find a way to track the mouse movements as well, but that is too much work. Enough people currently enter all passwords manually - which can be easily uncovered by keylogger software. You can download a keylogger of your own for free if you want to see how one works. There are a bunch of links out there for the "family keylogger" which monitors all keystrokes on your computer or on any computer where you have it installed. There is a free version as well.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.