Security firm SecureWorks announced on Tuesday that the firm had uncovered a previously unknown Trojan horse and its associated data cache, both which showed the increasing sophistication among data thieves.
The program, which the company dubbed "Gozi," evaded discovery by security firms for almost a month, records the user names and passwords of online accounts, bypasses secure sockets layer (SSL) encryption, and uses a central server that also acts a point-of-sale to underground data thieves. The SecureWorks researcher found nearly 10,000 account credentials belonging to 5,200 victims, including government employees, on the server. Account credentials for more than 30 banks and credit unions were on the central server.
"SecureWorks had contacted several of the companies affected and is working through various other channels, including law enforcement, to notify the remaining affected parties," Don Jackson, a security researcher for SecureWorks, stated in his analysis of the Trojan horse.
The server especially underscores the increasing sophistication of data thieves, Jackson said. The software allowed customers to log in and buy certain search results using WebMoney, a Russian payment solution. Prices varied: A search returning three passwords for a pint-sized retailer came in at about 100 WMZ, equivalent to US $100, while ten passwords for an international bank cost 2,500 WMZ, the report stated.
Malicious code has increasingly become focused on crime and data theft. Bot masters have started using their networks of compromised PCs to send out stock spam, accounting for a third of all spam since the end of 2006. The bot nets have also been used to spread Trojan horses, such as the Storm Worm, using a large number of variants in an attempt to defeat antivirus software.
The latest Trojan horse, Gozi, escaped detection since at least December 13, according to SecureWorks.
Posted by: Robert Lemos