Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Analysis Leads To Russian Data Hoard

Posted by kdawson on from the Gozi-dissected dept.

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

11 of 103 comments (clear)

  1. What About Firefox Users? by eldavojohn · · Score: 5, Interesting
    From the article,
    • Steals SSL data using advanced Winsock2 functionality
    • State-of-the-art, modularized trojan code
    • Spread through IE browser exploits
    • etc ...
    When I read the Slashdot summary, I was initially concerned that I may be at risk. But then I noticed the above three lines and realized there was no risk since I don't use IE.

    But, in the end, if this is an exploit utilizing the very basic network DLL that windows provides for socket connections (Winsock2--which is what I assume all network applications eventually link against in Windows) then why aren't other browsers at risk?

    I know Firefox is awesome & more secure & all that jazz but I haven't done enough network programming to know the nitty gritty details of it. Does anyone know why, if this trojan is exploiting the basic socket connection library that the Windows API provides, all browsers aren't potential victims?

    I mean, it makes sense to introduce some sort of security that never ever lets anything but the browser's code access the interfaces to these libraries ... is IE really that flawed?
    --
    My work here is dung.
    1. Re:What About Firefox Users? by BlueTrin · · Score: 5, Funny

      is IE really that flawed?

      +2 funny

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
    2. Re:What About Firefox Users? by Aladrin · · Score: 4, Informative

      You stopped reading too early. Later in TFA, it shows a screencap of the website that has badly translated text that basically says 'Snatch 2 - will work on firefox'. In other works, you're not affected... yet.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    3. Re:What About Firefox Users? by Cyberax · · Score: 4, Informative

      No, IE uses a layer called WinInet to access the Internet (http://msdn2.microsoft.com/en-us/library/aa385483 .aspx). It automatically provides SSL/TLS connectivity to IE.

      FireFox uses basic sockets and encrypts data using standalone SSL library.

    4. Re:What About Firefox Users? by TheNicestGuy · · Score: 3, Interesting

      Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and the socket. Unfortunately, I do not know which browsers make use of WinSock2 and its LSP functionality, and which don't. It would have been nice to mention that in the article as an aside.

      Another way IE is specifically involved is that Gozi does some extra sniffing inside IE's JavaScript engine to get data that's being sent AJAX-style rather than through normal POSTs.

  2. Speads!=Affects by Anonymous Coward · · Score: 3, Informative

    You need IE to install the trojan, once it is running it will compromise all SSL traffic.

  3. Re:Possible solution... by BlueTrin · · Score: 4, Insightful

    I guess the major flaw would be that I could write code and report it ?

    --
    Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
  4. headline strike again! by Arielholic · · Score: 5, Funny

    Trojan Analysis Leads To Russian Data Hoard

    So the analysis led the the hoarding? Everybody stop analyzing NOW!

  5. Re:IP traceback by Klaus_1250 · · Score: 4, Informative

    I doubt they will use a single IP for long, in fact, I would say that if they are pro's, they'll only use it for several hours. There are quite a few organizations tracing and logging such IP's and some of the better security software blocks them. The longer you use a single IP, the less effective they'll be and the higher the risks.

    --
    It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
  6. i'm in awe by circletimessquare · · Score: 3, Insightful

    reading that article is like looking at the blueprint for a neutron bomb: beautiful, magnificent, and pure evil

    the mind boggles at what these men (or women) of such high craft could achieve were they to devote their genius to good efforts rather than bad. as it is, in the business they are in, they will probably very rapidly come under the thumb of the russian mafia, if they aren't already. then their life will be on a short leash, that, if they attempt to tug, will land them with a swift reprimand from guys you don't want to know what a swift reprimand from is like

    sad. these are no script kiddies here. these are smart blokes. and they are also doomed to a life under the thumb of men a thousand times more evil than their devilish and brillaint exploits ever could be

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  7. Who's the target customer? by BobMcD · · Score: 4, Insightful

    What frustrates me a bit about TFA is where they stopped. They identified what the malware is, does, where it comes from, etc. They seem to have left out the 'why' part of the equation. Who would buy the data, and for what purpose? Dig a little deeper here. What we are defending against becomes a lot clearer when the motives of the attacker are known. This exploit is sophisticated and mature. It appears to be a viable business. This is not the action of an individual bent on personal gain, rather a true-world example of organized crime. This is much more serious than we're being led to believe. This is what gives me pause: What kind of customer would pay for access to such a broad set of data?