Key-logging worm wriggles out of Russia

Discussion in 'malware problems & news' started by Capp, May 21, 2007.

Thread Status:
Not open for further replies.
  1. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States


    Full Article
     
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    that sounds wicked.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I want this malware pls.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You have to dig a little further to get more detailed information about it's method of intstallation:

    http://www.secureworks.com/research/threats/gozi/?threat=gozi

    Pretty easy to block.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Well, it doesn't have any peculiarity.
    - Signature-based solutions have a hard time to keep up:
    - But it doesn't bring any new method of infection:
    * Classic drive-by download through browser vulnerability:
    * Classic social engineering targeted to users whom click everything and/or don't whitelist browser-based active content (Java/Javascript) :
    - It appears to hook into winsock (to intercept unencrypted data) as soon as the user goes to him/her bank:
    - Also, it has classic keystroke logging capability:
    Resume: nothing to worry about.
     
    Last edited: May 21, 2007
  6. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I knew this was nothing to bring concern about to those in the know, but I wanted to post it just to make everyone aware of its presence.

    I'm cleaning someone's computer right now that got infected by a trojan that has since passed its prime, but he was on an unpatched, unprotected system and now I am spending some serious time getting it removed.
     
  7. devolutionist

    devolutionist Registered Member

    Joined:
    May 28, 2007
    Posts:
    1
    Should I be concerned that Gozi isn't in NOD32's virus list? If not, please explain... thanks!
     
  8. ASpace

    ASpace Guest

    Where did you read/hear that ...
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I would be. You might bring this up in their Forum.

    A more pertinent question should be, Can I depend on classical Signature/Heuristic-based solutions for Zero-day prevention?

    From the SecureWorks analysis I mentioned in my above post:

    Their analysis includes this:

    In the "Prevention" section, AV heuristics and other detection measures are described as "useful." And they conclude,

    Another company is SecureWave

    http://www.securewave.com/home.jsp
    http://www.securewave.com/endpoint_security.jsp

    While SecureWorks' Services and SecureWave's products are designed for commercial use, fortunately, this technology is available for Home Users in a variety of different products, as discussed in the Anti-malware software forum.


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any links to their products for home users?
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not aware that they make products for home users.

    For home users, I was referring to the White List (execution prevention) software discussed in the anti-malware software forum here, which will easily block the Gozi-type exploits.

    Sorry for the confusion.

    regards,

    -rich
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, got it.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The reason I quoted those two companies (and I read their White Papers regularly) is that SecureWorks has the only indepth analysis (that I'm aware of) of Gozi.

    Most mainstream media articles do not go into detail of how exploits work. Now, they certainly don't have to quote all of the technical details, which no one but a programmer could understand, but at least give the pertinent information which would lead one towards a solution -- as in the bold emphasis I put in the quotes in my post above.

    Second, this type of White List technology was first implemented by vendors of Business and Educational security solutions. Faronics was one of the first companies to make Home versions of some of this technology. Now, thankfully, it is becoming more widespread with other vendors, and home users have quite a nice selection of solutions from which to choose.

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.