How Gozi's First Second Unfolds

A researcher details the beginning of a malware infection

Mon, October 08, 2007CSO The Gozi Trojan has improved dramatically since SecureWorks researcher Don Jackson downloaded the first known sample in February 2007. Still, understanding how that first one installed itself on a system offers a good non-technical primer on malware injection and the techniques used to beat the defenses. (For a full technical report, refer to Jackson's thorough unraveling of Gozi here: http://www.secureworks.com/research/threats/gozi)

Special Report: The Hacking Economy
Hacker Economics 1: Malware as a Service
Hacker Economics 2: The Conspiracy of Apathy
Hacker Economics 3: The Next Wave of Malware
Key Malware Terms
A Trojan's First Second
Death by iFrame
Inside a Hacker's Site: Screenshots

Even before Gozi was downloaded, it had been designed to confuse. Downloaders, the programs that inject the malware, are recognized by anti-intrusion product signatures, so Gozi split up keywords and strings of code in the downloader so that the pattern that defensive technologies normally would recognize didn't exist. Once Gozi gots by that gate, those keywords and strings of code were reassembled to their proper place.

Then following took place in under one second:

  1. In the Windows file where the logged-in user's custom settings are stored, Gozi writes a file called xx_abcd.exe, where abcd are random characters. This is the data stealing engine.

  2. Gozi writes several registry entries, including an xx_id value, a random number that serves as a unique infection ID. All information taken from this computer can then be associated with a dossier on that user's information.

  3. Gozi instructs windows to hide these registry entries, and all associated files including xx_abcd.exe.

  4. Gozi unpacks and installs a SOCKS proxy backdoor and assigns a password. This allows the person controlling the Gozi bot to send it updated instructions or add features and functionality to it anonymously and invisibly.

  5. Gozi unpacks a default set of options including what URLs it should wake up and monitor for forms it can grab and what IP addresses will serve as this machine's drop point.

  6. Gozi contacts the "mothership" or home server.

  7. The mothership tells Gozi to send it all client certificates it can find on the PC, along with the machine's newly assigned unique ID.

  8. Gozi downloads from the mothership an updated set of options to replace or augment the default ones unpacked from the malware. The new instructions might simply override the default options or they might have more specific instructions on new drop sites and other information.

  9. Gozi waits.

After that, whenever you start entering form data, it catches it on the fly and passes it off along with the unique infection ID to its drop point, where still more code is sorting the data. This happens whether or not the form data is SSL encrypted. On sites where the little lock on the browser glows, Gozi still works. It intercepts the form data in the vestibule that exists after it's entered and before it's encrypted. Jackson spent three days debugging Gozi. He says the first sample he looked at was rudimentary. It didn't encrypt its own transmissions. Some of the encryption and random character generation it used was weak. It didn't obfuscate its transmissions using proxy communication effectively. As he thought, later versions improved on these weaknesses dramatically, in the span of only a few months. "They didn't have to be so advanced with Gozi but now they are," he says. "It will only get more advanced over time."

malware
Loading...
Security MarketSpace
8 Tactics to Combat Vulnerabilities
This white paper reviews 8 key elements of vulnerability management and provides advice on combating known vs. unknown vulnerabilities. Learn more »
Email and Web Threats Require a Layered Defense
Learn how web threats are changing and how using a layered defense strategy can give you the security you need. Learn more »
The Case for Data Protection for SMBs
Take Fraudsters Out of the Game
Easily identify account-device relationships and get data for in-depth forensic analysis. Learn more »
Mobile Security Landscape
This paper examines the current mobile security landscape, including myths surrounding the risks and threats, and how organizations can establish a solid mobile security strategy. Learn more »
Reducing Energy Costs in Your Data Center
This white paper examines the most common roadblocks to improving data center efficiency. Learn more »
Security convergence equals network security cost savings
 Security convergence equals network security cost savings Learn more »
IBM ISS X-Force Threat and Risk Report
Read this Trend and Risk report from IBM® ISS X-Force® to learn statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Learn more »
 
SPONSORED LINKS
 

Mobile Security: The Essential Ingredient for Today's Enterprise

IDC White Paper: CCM for IT Compliance and Risk Management

Keeping Your Members Safe from Online Scams and Predators

Learn about the growing threat of insider data theft.

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

The Total Economic Impact of Network Security Intrusion Prevention

Join us at the US-Brazil IT-BPO Summit, on November 10th in New York.

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Quell your virtualization concerns and realize significant cost savings

IDC Whitepaper: How virtualization will improve your medium-size business

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Top Five CIO Challenges

Streamline IT Costs. Boost Performance with WAN Optimization.

Want to know how you can maximize employee productivity?

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

A new fleet of PCs with a total ROI in 10 months. Find your ROI.

White Paper: Managed Security for a Not-So-Secure World

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

White Paper: A Security Blueprint Delivered From within the Network

White Paper: 4 Customer Service Myths

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

White Paper: Next Generation Remote Infrastructure Management

Seven Design Requirements for Web 2.0 Threat Protection

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Why your midsize enterprise should consider virtualization

It's time your midsize enterprise adopts server-virtualization technology.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion

Read the RSA report: Security for Business Innovation

Webcast: Looking to the Cloud for Email and Collaboration Services

64-page prescriptive guide to security, compliance, and IT operations.

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

A Clear View Toward Virtualization

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords