Hybrid SSL/keylogger gozi trojan steals personal data
New malware variant hides code from anti-virus applications and triggers keylogger when user visits banking website.
A new form of the Gozi trojan is currently spreading across the internet, infecting thousands of computers and has so far stolen the personal data of thousands.
The variant is similar to the original worm, first detected in January, but two new features of the malicious code make it more deadly than before, according to experts.
The trojan has the ability to steal data from an SSL stream and also contains an integrally-coded keylogger which is only triggered when an infected machine is used to access a banking website.
But according to a researcher at IT security company SecureWorks, the malware has now "improved" its keylogger and also sports a packing utility that hides the virus code by compressing, encrypting and deleting parts of the code to evade detection by anti-virus products.
"It is bad enough that this new version of Gozi can encrypt and rotate its program code to by-pass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking web page makes it almost undetectable using conventional IT security technology," said Geoff Sweeney, co-founder and chief technology officer of behavioural analysis software developers Tier-3.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.