Hybrid SSL/keylogger gozi trojan steals personal data
New malware variant hides code from anti-virus applications and triggers keylogger when user visits banking website.
A new form of the Gozi trojan is currently spreading across the internet, infecting thousands of computers and has so far stolen the personal data of thousands.
The variant is similar to the original worm, first detected in January, but two new features of the malicious code make it more deadly than before, according to experts.
The trojan has the ability to steal data from an SSL stream and also contains an integrally-coded keylogger which is only triggered when an infected machine is used to access a banking website.
But according to a researcher at IT security company SecureWorks, the malware has now "improved" its keylogger and also sports a packing utility that hides the virus code by compressing, encrypting and deleting parts of the code to evade detection by anti-virus products.
"It is bad enough that this new version of Gozi can encrypt and rotate its program code to by-pass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking web page makes it almost undetectable using conventional IT security technology," said Geoff Sweeney, co-founder and chief technology officer of behavioural analysis software developers Tier-3.
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solution
Download now
The complete guide to changing your phone system provider
Optimise your phone system for better business results
Download now
