Hybrid SSL/keylogger gozi trojan steals personal data
New malware variant hides code from anti-virus applications and triggers keylogger when user visits banking website.
A new form of the Gozi trojan is currently spreading across the internet, infecting thousands of computers and has so far stolen the personal data of thousands.
The variant is similar to the original worm, first detected in January, but two new features of the malicious code make it more deadly than before, according to experts.
The trojan has the ability to steal data from an SSL stream and also contains an integrally-coded keylogger which is only triggered when an infected machine is used to access a banking website.
But according to a researcher at IT security company SecureWorks, the malware has now "improved" its keylogger and also sports a packing utility that hides the virus code by compressing, encrypting and deleting parts of the code to evade detection by anti-virus products.
"It is bad enough that this new version of Gozi can encrypt and rotate its program code to by-pass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking web page makes it almost undetectable using conventional IT security technology," said Geoff Sweeney, co-founder and chief technology officer of behavioural analysis software developers Tier-3.
Shining light on new 'cool' cloud technologies and their drawbacks
IONOS Cloud Up! Summit, Cloud Technology Session with Russell BarleyWatch now
Build mobile and web apps faster
Three proven tips to accelerate modern app developmentFree download
Reduce the carbon footprint of IT operations up to 88%
A carbon reduction opportunityFree Download
Comparing serverless and server-based technologies
Determining the total cost of ownershipFree download