Gozi Trojan

Original issue date: March 26, 2007

It has been reported that a Trojan “GOZI” is spreading in the wild to steal SSL encrypted data. It is also reported that this Trojan was undetected since December 2006 and large number of hosts and user accounts were compromised. This Trojan spreads by exploiting recent vulnerabilities of Internet Explorer and uses the rootkit capabilities to hide itself.

The Activities of GOZI Trojan after execution are:

• Creates following registry entry to ensure its automatic execution at every system startup:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xx_Shell = "C:\Documents and Settings\User Name\xx_jqop.exe"
• Makes outbound connections on port 80/tcp (HTTP) to the server which hosted the exploit and executable file.
• Uses Internet Explorer to access certain prominent bank's web site and attempts to login. After being redirected to the SSL-protected secure login page uses fake credentials to attempt a login.
• Steals credentials using key logging or request hijacking and upload to a malicious server.

In view of the high damage potential of the Trojan users are advised to:

• Install and maintain a updated anti-virus software and anti spyware software at gateway and desktop level.
• Keep up-to-date patches and fixes on the operating system and above mentioned vulnerabilities.
• Install network and host based IDS/IPS

References

http://www.secureworks.com/research/threats/gozi/?threat=gozi
http://www.us-cert.gov/current/
http://isc.incidents.org/diary.html?storyid=2498
http://www.computerworld.com/action/article.do?command=
viewArticleBasic&articleId=9013819&source=rss_news10

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003