Gozi Trojan analysis

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

  • Steals SSL data using advanced Winsock2 functionality
  • State-of-the-art, modularized Trojan code
  • Spread through IE browser exploits
  • Undetected for weeks, months by many AV vendors
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • Data’s black market value at least $2 million

Full article is here.

Smarter and Smarter

Websense has posted a nice malware analysis showing how easy security software can be bypassed by malicious software.

Before performing it’s primary objective, this malware first disarms any antivirus or firewall it can:

The file is packed with a custom packer/protector, which we had never encountered before. Here is a brief description of the packer and what it does to prevent analysis.

The protected application doesn’t run in a Virtual Machine (default configuration). Once this problem is fixed, it generates 1372 (!) exceptions in the loader to thwart debuggers, tracers, emulators, and so forth.

There is a CRC to prevent patching of the protection code; therefore, the protector will never call the original entry point if the code has been patched, or if a software breakpoint is found in the routine.

One of the first things the malware does is to scan for security applications in memory. It uses a few different techniques, including looking for Windows Name, Process Name

It kills several antivirus products, if they are found in memory, as well as some firewall products.

Lowers the computer sound volume, in order to prevent the users from hearing a warning sound generated by antivirus programs.

Full analysis is here.

Distributing malware over ed2k network

While searching for some legitimate content on e2dk p2p network I’ve stumbled into some strange search results. Those results were looks like forged from the search query. I’ve searched then for surely non existing files and got same forged results.

Quick check of the files shows that at least one of them contains malware.

Malicious server forge ed2k link for every query, by only changing the name of the file, while MD5 remains the same. The malicious server then connects to one of the biggest ones in the network. Users that will use Global search (trans-server) will receive the link on mostly every search and the result may look very legitimate due to good availability of the file. Malicious files are very well shared and will be downloaded in the matter of seconds.