Russian (Gozi) Trojan powering massive ID-theft ring

[CharleyO]

***

"Researchers at SecureWorks have stumbled upon what appears to be a massive identity theft ring using state-of-the-art Trojan code to steal confidential data from thousands of infected machines in the U.S."

http://blogs.zdnet.com/security/?p=133&tag=nl.e622


***

[guruh]

http://www.secureworks.com/research/threats/gozi/

Highlights

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

    * Steals SSL data using advanced Winsock2 functionality
    * State-of-the-art, modularized trojan code
    * Spread through IE browser exploits
    * Undetected for weeks, months by many AV vendors
    * Customized server/database code to collect sensitive data
    * Customer interface for on-line purchases of stolen data
    * Accounts compromised by stealing data primarily from infected home PCs
    * Accounts at top financial, retail, health care, and government services affected
    * Data's black market value at least $2 million

There are two other known variants. New variants, similar attacks inevitable.

Firefox is safer?

[bob3160]

It isn't browser dependent so in this case, no.

[polonus]

Hi bob3160,

From the description in the link: "Launch attacks through Internet Explorer browser exploits". How can you then say, it is browser independent? With NoScript installed, and checking my links with the DrWeb add-on I know I can prevent many a trojan downloaders to run. I agree with you that Mozilla type browsers can infect because the OS is "explorer"-dependant so not immediate but through a vulnerable explorer. Here with Gozi again the malware vector, and it is the vector by choice,  is JAVASCRIPT. Read about the way it infects, and how it was detected here:
http://www.secureworks.com/research/threats/gozi/?threat=gozi
So with IE you are vulnerable, with IE with javascript disabled you are not vulnerable, but then you loose out on interactivity. The malware crooks know that most browser users like to use their browsers as default and like to click along with full operability, so their victims are just sitting out there for them like sitting ducks.
It is not the browser but the ill-equiped user that is the weakest part of the vulnerability chain,

polonus

[DavidR]

There is also mention that it uses ActiveX, that and the "Launch attacks through Internet Explorer browser exploits" would lead me to believe it is browser specific.

The page included in this last IFRAME contained JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server.

[bob3160]