This is an interesting and detailed analysis, done by SecureWorks, of a previously unknown malware called Trojan.Gozi. It infected Windows XP SP2 machines and stole the user’s login credentials to online accounts, such as banking websites. The trojan has a clever way of grabbing the login and password data by monitoring HTTP POSTs, even when they use SSL. It does this by inserting itself as a shim between Internet Explorer and the network socket used to send the data, thereby accessing it before SSL encryption happens. Of course, everything is shipped back to the attacker’s server in Russia, and root kit techniques are used to hide its presence.
See the website for all the gory details, including dynamic and static analysis using a debugger.
Post a Comment