A Russian Trojan program named Gozi that remained undetected for more than 50 days has stolen confidential data worth $2 million on the black market.
More than 10,000 private records belonging to about 5,200 US users were compromised. The data included about 2,000 Social Security numbers, as well as account numbers, user names and passwords for bank accounts and e-commerce sites.
It also included employee passwords for applications belonging to more than 300 companies and government organisations - including several law enforcement agencies in the US - and medical information of health care employees and patients whose user names and passwords were stolen from their home PCs.
All of the information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The black market street value of the stolen data: $2 million.
The theft was uncovered in January by Don Jackson, a security researcher at SecureWorks, a managed security service provider. Jackson said that there are at least two more known variants of Gozi, meaning new attacks are likely.
According to Jackson, an acquaintance reported that several accounts on websites he visited from work and home had been hijacked. An investigation of his friend's PC uncovered a previously unclassified malware executable that appeared to have been installed last December.
An analysis of the Trojan program showed that it was designed to steal data from encrypted SSL streams and send it to a server in Russia. The Trojan took advantage of a vulnerability in the iFrame tags of Internet Explorer. The buffer overflow attack basically allows attackers to take complete control of a compromised system.
The server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and query fields such as URL and form parameters. Each query had a price, Jackson said. The currency used on the site was WMZ, a WebMoney unit roughly equivalent to the US dollar, Jackson said.
When Jackson discovered the Trojan in January, not one of the 30 anti-virus products he tested recognised it. Several flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. Updated versions of the same 30 products in early February did a better job of picking up Gozi, though even at that point five of the products completely missed it, according to Jackson.
Details of the Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies, Jackson said. The subscription service offering this stolen information was disabled on 12 March, he said. However, the server housing the data is still online and is continuing to receive stolen information, he said.