Key-logging worm wriggles out of RussiaGozi trojan activated by banking sitesBy Paul Hales: Monday 21 May 2007, 15:56A NEWER AND DECIDEDLY more dastardly version of the Russian Gozi virus, which uses key stroke logging capabilities to steal bank account details, has been loosed onto the Interweb, insecurity experts have warned.The program is an updated version of the Gozi Trojan horse program which uses advanced Winsock2 functionality to hack into encrypted SSL (Secure Sockets Layer) streams and send the data back to a server in Russia.To date, this new variant has stolen bank and credit card account numbers, social security numbers, online payment account numbers, user names and passwords from more than 2,000 people, a report on Computerworld said.The newer version includes a key stroke logging capability which appears to be activated when someone using an infected PC visits an e-banking website, said Don Jackson, the security researcher who first uncovered the Gozi worm in January.It also includes a packing utility which manipulates parts of its own code to evade detection by standard signature-based anti-virus software, said Jackson who works for Atlanta-based firm Secureworks.Secureworks says the original Trojan was designed to capture any data entered into websites relying on SSL to protect confidential information, such as banking websites, online retailers and corporate intranets.The worm initially stole more than 10,000 records from individuals, companies and government organisations and sent it all to an online 'storefront' on a Russian server from where it was being offered for sale for an amount totalling over $2 million.The server was managed by a group called 76service which had apparently bought the Gozi code from a group of hackers based in the Arctic Circle called the Hangup Team, Computerworld said. µ
