Posted on 05/25/2007 2:34:07 PM PDT by Ernest_at_the_Beach
A new variant of the Russian Trojan Gozi, armed with keylogging functionality, is making the rounds again. What makes this time different is that the Trojan can scramble itself to avoid detection by your anti-virus software.
The Trojan is believed to have been spreading since April 17. Like the original, which was discovered earlier in 2007, the new version of Gozi steals data from encrypted SSL (Secure Sockets Layer) streams. The latest variant was uncovered May 7 by Don Jackson, a security researcher at SecureWorks in Atlanta.
This does not sound good....
Ping.
Yikes!
What’s “Anti-Virus Software?”
******************************EXCERPT******************************
May 19, 2007 (Computerworld) -- A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Internet since April 17 and has already stolen personal data from more than 2,000 home users worldwide.
The compromised information includes bank and credit card account numbers (including card verification value codes), Social Security numbers and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted Secure Sockets Layer (SSL) streams and send the stolen information to a server in Russia.
The variant was discovered by Don Jackson, a security researcher at Atlanta-based SecureWorks Inc. who also discovered the original Gozi Trojan horse back in January.
Two core "enhancements"
According to Jackson, the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One of them is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan horse code to evade detection by standard, signature-based antivirus tools. The original Gozi, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.
This version of Gozi also has a new keystroke-logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information, Jackson said.
Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan horse takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.
A service provider steps in
The server to which the stolen data was being sent to was located on a Russian network.
Are you logged ON?
Are you series?
Linux. ‘Nuff said.
That’s what I run.
“What’s “Anti-Virus Software?””
It protects us from the bird flu..
My sister got the bird flu after being bitten.
There is another one also — maybe even worse. The trojan, Kardphisher, renders a popup to the user, saying their software has been activated by another person. It then says that, in order to maintain activation, they must buy it. It asks not only for credit card information, but the PIN and 3-digit security number as well.
The popup says it comes from Microsoft, but it does not. The sender wants your credit card info.
Anyone who uses a credit card on the Internet should know that you should never type your number in sequentially the way it appears on the card.
You should break it up into pieces and use the mouse to relocate the cursor. NEVER THE ARROW KEYS - keyloggers can read arrow key movements, but so far... not mouse movements.
So say, for example, that your credit card number was: 123 456 789;
You should type first 456; then use the mouse to move the cursor in front of it and type 123; then use the mouse one more time and type 789.
This is simplified, but a simple procedure of NEVER typing a number in the order it appears on your credit card, will defeat any keyloggers tha currently exist.
I have helped a friend install a keylogger once during a messy divorce, and it’s amazing what information you can capture! It also makes it easy to figure out a way to defeat such software.
NEVER TYPE IN YOUR CC NUMBER WITHOUT SCRAMBLING IT AS I DESCRIBED. It’s not a big hassle, and it gives you an added layer of security. Even if someone did sneak a keylogger onto your machine somehow, they would not get a useful CC number if you follow this simple trick.
BUMP!
Interesting advice! Thanks!
I can think of some deliciously useful variants of that!
Many thanks.
Interesting technique that may work against some keyloggers, but the program in question is also apparently scarfing SSL session information too, so that wouldn't work if you're infected by it.
Thank God I use Linux.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.