Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Analysis Leads To Russian Data Hoard

Posted by kdawson on from the Gozi-dissected dept.

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

2 of 103 comments (clear)

  1. What About Firefox Users? by eldavojohn · · Score: 5, Interesting
    From the article,
    • Steals SSL data using advanced Winsock2 functionality
    • State-of-the-art, modularized trojan code
    • Spread through IE browser exploits
    • etc ...
    When I read the Slashdot summary, I was initially concerned that I may be at risk. But then I noticed the above three lines and realized there was no risk since I don't use IE.

    But, in the end, if this is an exploit utilizing the very basic network DLL that windows provides for socket connections (Winsock2--which is what I assume all network applications eventually link against in Windows) then why aren't other browsers at risk?

    I know Firefox is awesome & more secure & all that jazz but I haven't done enough network programming to know the nitty gritty details of it. Does anyone know why, if this trojan is exploiting the basic socket connection library that the Windows API provides, all browsers aren't potential victims?

    I mean, it makes sense to introduce some sort of security that never ever lets anything but the browser's code access the interfaces to these libraries ... is IE really that flawed?
    --
    My work here is dung.
    1. Re:What About Firefox Users? by TheNicestGuy · · Score: 3, Interesting

      Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and the socket. Unfortunately, I do not know which browsers make use of WinSock2 and its LSP functionality, and which don't. It would have been nice to mention that in the article as an aside.

      Another way IE is specifically involved is that Gozi does some extra sniffing inside IE's JavaScript engine to get data that's being sent AJAX-style rather than through normal POSTs.