Hybrid keylogging Gozi trojan steals personal data

 

Gallery

By Rene Millman

Posted on 21 May 2007 at 17:58

Currently spreading across the Internet is a new form of the Gozi trojan, which is infecting thousands of computers and has so far stolen the personal data of thousands.

The variant is similar to the original worm, first detected in January, but two new features of the malicious code make it more deadly than before, according to experts.

The trojan has the ability to steal data from an SSL stream and also contains an integrally-coded keylogger that is only triggered when an infected machine is used to access a banking website.

But according to a researcher at IT security company SecureWorks, the malware has now "improved" its keylogger and also sports a packing utility that hides the virus code by compressing, encrypting and deleting parts of the code to evade detection by anti-virus products.

'It is bad enough that this new version of Gozi can encrypt and rotate its program code to by-pass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking web page makes it almost undetectable using conventional IT security technology,' said Geoff Sweeney, co-founder and chief technology officer of behavioural analysis software developers Tier-3.