A New Trojan, Sample of Credentials Theft Tools
A recent Trojan that steals banking credentials has gone through an analysis by SecureWorks. The Trojan is a sample of those tools that steal credentials and behave as a Layered Service Provider (LSP) by installing itself into the Internet connection of the user. It then steals or changes information. But this Trojan has additional twirls. Heise-security published this in news on May 22, 2007.
An LSP is a mechanism of a Winsock 2 Service Provider Interface. With this an authorized service like a firewall can place itself in the TCP/IP stack. Once inserted, the service can track and manage TCP/IP traffic suitably. The same is, however, also possible with the help of a malicious service by passing chosen data to an outside malicious target.
The program that the new worm uses is an advanced version of the Gozi Trojan horse that uses updated Winsock 2 features to hijack encrypted SSL (Secure Sockets Layer) streams and transmit the information back to a Russian server.
According to SecureWorks, two-factor authentication like the popular "pick an image" system that many online banking services use might not be a sufficient protection against the new Gozi threat. Along with some security questions appearing as text, the user is asked to choose a pre-determined image by clicking the mouse, from a batch of say four randomly presented layouts on the monitor screen. Heise-security published this in news on May 22, 2007.
Initially, the worm stole around 10,000 records from individuals, businesses and government organizations to send them to an online 'storefront' on a certain server in Russia. From there the data was put up for sale amounting to over $2 million. Theinquirer published this in news on May 21, 2007.
So far, attackers have been using techniques like screen capture that aren't ideal. Therefore, malicious programs have found it difficult to violate "pick an image" security mechanism.
Investigations have shown that a group named 76service managed the Russian server. This group seems to have purchased the Gozi code from a collective of hackers called the 'Hangup Team' operating from the Arctic Circle.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 01-06-2007