Mon, October 08, 2007 — CSO — May: A Poor Re-emergence
The hackers known as 76 and Exoric weren’t just the managers of 76service; they were also clients. Through his undercover work, SecureWorks researcher Don Jackson found that Exoric himself owned a project – a portfolio of trojan-infected machines – just like the ones the team sold. Only, since access was free to him, his was a much bigger project, with hundreds of bots focused exclusively on Gozi-infected machines in Mexico and Chile (.mx and .cl domains), and no 30-day expiration. For a while, Exoric also used his own storefront for the Latin and South American markets, called GucciService.

But by May the business was strained by the constant pursuit of researchers writing signatures to detect Gozi and law enforcement working with them to find and take down the 76service servers.

Early in the month, Jackson was able to say “Gozi isn’t working. No one is going to the site.” At this time, his personal site was also the victim of what he termed a poor DDoS attack that lasted 36 hours. Soon after that, when he visited 76service.com, he found it abandoned, with a simple message: “I choose shadow. Please, never come back again.”

It seemed that, finally, it was over. But it wasn’t, of course. In fact even before Jackson found 76service.com abandoned, a new Gozi variant was already at work, and it would be learned that it had been infecting machines since at least April 14. This latest Gozi bot was better than ever. It had added keystroke logging as an alternative to form grabbing. And recognizing that researchers were their primary adversaries, the new version added features to stymie detection and reverse engineering. “Every copy of Gozi has a unique infection ID,” explains Jackson. “So when data comes into the server it can check against the ID to make sure it’s a valid infection. This new version also checked to see what your bot had sent before. Basically it could shut you off if you kept logging in without delivering good data, which is what researchers do.” The new version also logged the bot’s IP address so that it could be blocked from communicating with the server.

But there were problems. A programming glitch caused the service to create huge files of redundant information, interrupting service to customers while the duo tried to fix it. “That’s why QA testing is so important,” deadpans Jackson. They had only nabbed about 500MB of data off of 200 infected PCs when their new ISP, which Jackson says was based in Panama, took them offline again.

It was a poor reemergence. Lurking on a discussion board with a colleague who could translate Russian, Jackson found a post by someone named 57, a hacker thought to be part of the HangUp Team. 57 wrote that 76 broke off work with Exoric because the two were spending more time on the lam than they did running the service.

The FBI had wound down on the case, according to Jackson (though in an official statement given to CSO from the press office, the FBI says it welcomes any leads on information related to Gozi and 76service, which it termed “unique”). While they continued to monitor some accounts they knew were connected to 76service, Jackson didn’t think it would progress beyond that. 76service was officially defunct. By early June, 76 and Exoric had dissolved their partnership.

But 57 also seemed to indicate that 76 was back with HangUp Team and busy rewriting the Gozi form grabber. The new architecture would allow 76 to hide the drop servers from prying eyes, making it harder to interrupt or shut services down.

Jackson predicted at the time that a new 76service would follow in kind. After all, 76service didn’t fail because of the service model. It failed because of a lack of manpower to secure and manage the service. It couldn’t scale. “I think they cobbled together Gozi and 76service to see what it could do,” says Jackson. “They realize what they need to do next. They spotted weaknesses. Torpig was the next step; it was better. Now what’s next?” With the help of the HangUp Team, a 76service-like site capable of enduring its own success, will return using some descendant of Gozi or Torpig.

Next: A Radical New Strategy for Banks?