New Version of Russian Gozi Virus on the loose again; contains Keylogger Function

Gozi Virus Returns A fresh variant of the Russian Gozi virus has attacked several computers in various countries over the last few months. This new batch is definitely a newer and stealthier version of the previously known Russian Trojan horse program and has been circulating on the Internet since April 17, 2007.

The new variant of the Russian Gozi virus has already stolen personal data from over 2,000 home users all over the world.

The original Gozi virus was detected in January this year. This virus has two features including a packing utility that encrypts, compresses and deletes sections of the virus code to evade detection by signature-based anti-virus software.

According to reports, the keylogging feature activates when an affected user visits a financial Web site. Information compromised by the virus includes bank and credit card account numbers, online payment details, usernames and passwords.

The Gozi virus variant was discovered by Don Jackson, a security researcher with Atlanta-based SecureWorks Inc., who also discovered the original Gozi Trojan when it was first discovered in January 2007.

According to Jackson, the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One of them is its use of a new and hitherto unseen “packer” utility that encrypts, mangles, compresses and even deletes portions of the Trojan code to evade detection by standard signature-based anti-virus tools. The original Gozi Trojan, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.

This version of Gozi also has a new keystroke logging capability for stealing data, in addition to its ability to steal data from SSL streams.

According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information, Jackson said.

Apart from those two differences, the variant is identical to Gozi. The Trojan takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.’s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.