GOZI RELOADED – KING OF EVASION

Over the last couple of weeks / months, there has been quite a bit of interest in transactional Trojans such as Zeus, Carberp, SpyEye and the like. The reason for this was obviously the big success by law enforcement against the perpetrators of these crimes. However such orchestrated action is mostly triggered by success and Zeus has been very successful.

We security researchers know that if one Trojan gets too big, others will step up and stay under the radar to perform their dirty tasks.

Gozi is one of these Trojans that stays fairly under the radar and is able to cause quite a bit of damage within the industry. When we came across a new variant that had a 0% detection rate on Virustotal even though it was virtually doing the same thing as almost one year ago, we were amazed that these guys can manage to evade signature patterns so consistently. As a recap, we looked at Gozi before in February 2010 and the sample we looked at then also had 0% detection rate!!! This is astonishing.

Furthermore, this Gozi variant uses some very interesting characteristics that are worth looking at:

  • Firstly, it uses an encrypted HTTPS connection for its C&C server communication with a valid certificate. This was exclusively done to evade detection and make it harder for the “good guys”. This shows the effort these guys put in to stay undetected.
  • The infection mechanism is still so successful that Gozi didn’t have to change much over the last year. However Gozi was always at the forefront (e.g. Firefox has been supported for a long time).
  • Additionally, this Trojan features extensive client side logic (in JavaScript) and is able to work with many different banking websites to steal static information (such as maiden name, …), and also dynamic password schemes (such as Two-Factor Authentication, One-Time-Password and the like) – very similar to Zeus, SpyEye, Carberp, Silon, etc.
  • This enables real time account takeover that even works with Two-Factor Authentication.

This is a perfect example that the sophistication of these Trojans is increasing rapidly and that the malware problem we face is here to stay.

 

1 INTRODUCTION

Malware samples with 0% detection rate on Virustotal are always very interesting and when we came across a new Gozi variant with 0% detection rate, we simply had to have a more detailed look at this sample.

We have covered the Gozi Trojan in the past; please refer to our in-depth report in February 2010.

The Gozi sample we looked at showed pretty much the same characteristics as the ones we analysed back in February, so this in-depth report will not cover the general details of the Gozi Trojan, but will enable us to focus on the HTML injection part and some interesting enhancements that these guys put into it.

 

2 INSTALLATION & RECAP

We looked at the sample with MD5 3c2892679f682f8a60e78823fd5d3faa which had the following Virustotal detection on Sep 30, 2010 – 0% (0/43)http://www.virustotal.com/file-scan/report.html?id=7d6ee800c86e3a5fdda89412cf77c7d804847d3fe329ea719bf3734c8c9d5ebf-1285832603

After executing the payload, Gozi willcompromize the system as we would expect with a Gozi Trojan. An automated analysis is available here: http://camas.comodo.com/cgi-bin/submit?file=7d6ee800c86e3a5fdda89412cf77c7d804847d3fe329ea719bf3734c8c9d5ebf

2.1 SAME APPCERTDLL APPROACH

Our Gozi installed similar files and used the same AppCertDlls approach to infect the system.

2.2 SAME ADDITIONAL INFORMATION IN THE REGISTRY

The additional information is also present in the same location as in earlier versions.

2.3 SAME C&C COMMUNICATION STRUCTURE

And finally the C&C communication structure stayed the same as well.

2.4 SAME CONFIGURATION FILE ENCRYPTION

The encryption mechanism for the configuration file hasn’t changed so we could easily recover the decrypted configuration file which will be discussed later on in more detail.

2.5 WORKS WITH FIREFOX AND INTERNET EXPLORER, BUT NOT WITH CHROME

As before, it works with Firefox and Internet Explorer; Chrome crashed or doesn’t really start (meaning chrome.exe process gets created but consumes 100% CPU load).

2.6 OFF-TOPIC: WHO COMES UP WITH THE NAMES FOR VIRUSES???

When you submit this sample to Virustotal, you’ll get the following 29 unique virus names (!) in return:

  • Win-Trojan/Papras.116736.G, TR/Carberp.E.5, Backdoor/Win32.Papras.gen, Win32:Carberp-B, Win32:Carberp-B, PSW.Generic8.WPI, Trojan.Generic.KD.44989, TrojWare.Win32.Trojan.Agent.Gen, Trojan.BrowseSpy, Trojan.Win32.Carberp!IK, Trojan.Generic.KD.44989, W32/Papras.B!tr, Trojan.Generic.KD.44989, Trojan.Win32.Carberp, Backdoor/Papras.pm, Backdoor, Backdoor.Win32.Papras.uk, Generic.dx!ubq, Generic.dx!ubq, Trojan:Win32/Carberp.E, Win32/PSW.Papras.BC, W32/Smalltroj.ZKKH, Trojan/W32.Agent.116736.FP, Generic Trojan, Trojan.Gen, Medium Risk Malware, Troj/Gozi-B, Trojan.Win32.Generic!SB.0, Trojan.Gen, Trojan/Papras.bc, TROJ_GOZI.A, TROJ_GOZI.A, Backdoor.Papras.uk, Trojan.Win32.Carberp.116736, Backdoor.Papras.AJM

I understand the generic detection (such as Trojan.Gen), but how can someone detect this as Carberp? This sample doesn’t show any characteristics of Carberp. The AV’s that call this Gozi are actually in the minority here and based on the Antivirus results, I would think it’s Carberp.

Can someone please enlighten me with the naming procedure for viruses?

2.7 CONCLUSION

So altogether, the underlying infection approach is exactly the same as before, which probably means that there was no need yet to change anything as the current approach is effective.  This is further supported by the fact the not a single Antivirus Engine picked up this version Gozi even though the characteristics of what it is doing is exactly the same as almost 1 year ago!!!

3 C&C SERVER

please refer to the full report for details.

 

3.1 Where is <IP removed, available in full report>?

 

3.2 Trusted Web Indicators

As we know, the trouble with any indicators whether a particular website is safe relies on some knowledge about the server. We quickly checked two services and none found the C&C server to be malicious.

 

4 USE OF HTTPS AND SSL CERTIFICATE

We are seeing more and more Trojans that are using SSL and HTTPS to cover their tracks. Additionally more and more Trojans use digital certificates to evade detection. These digital certificates are either obtained fraudulently (by pretending to be someone else) or stolen (stolen private key).

In our case, it’s much worse as the bad guys didn’t have to do anything fraudulent. You can happily get SSL certificates today that are only “domain validated”. This means that (contrary to public belief) nobody has verified the identity of anyone. All the Certificate Authority did was to send an email to someone to prove that the person has access to the domain (e.g. can receive emails to admin@domain.com).

As with all new transactional Trojans, Gozi has the ability to inject arbitrary HTML into any banking website. As discussed in the previous in-depth report in very much detail, Gozi will in many cases make additional requests to the C&C server to download specific information (such as money mule account details, etc.)

This variant of the Gozi Trojan now uses a HTTPS connection to do this. The reasons for doing so are quite obvious.

  • Many infections are detected by their C&C communication. This can be within a proxy log of a corporate environment or on ISP level. By using https, Gozi can evade this detection as only the hostname will appear in theselog files and not the full URL anymore.
  • Full end-to-end encryption. Nobody in the middle can look into the requested information to see whether it is malicious or not. The bad guys are using the same technology that protects us for their own purpose.

 

4.1 THE SSL CERTIFICATE

The certificate used for the server was signed by Equifax Secure Certificate Authority.

However on closer inspection, this certificate was issued from RapidSLL (a subsidiary) without any identity verification and just domain verification.

full details in the in-depth report

5 CONFIGURATION FILE

As we know, the Gozi configuration file is encrypted, but as no changes to the encryption scheme have been made we were able to decrypt the configuration file quickly.

The currently affected financial institutions together with their services are:

  • list of 18 financial institutions (mainly in the US) removed

 

If you are interested in the full configuration file, just drop us an email atlabs@trustdefender.com and we’ll send you a copy.

 

6 HTML INJECTIONS

In this chapter, we’ll look in quite a bit of detail into the HTML injection techniques used by this Gozi configuration. Please note that this HTML injection technique is a feature of the Gozi Trojan (the software), but what exactly is injected (the content) is defined in the configuration file.  This means that Gozi can do whatever the fraudsters want it to do and the presented information below is therefore a characteristics of the configuration file used by Gozi and not Gozi itself.

 

Blog Note: This is actually the main content of this in-depth report, but due to potential sensitive information, this section is only available in the in-depth report. Please don’t hesistate to request a copy of it my emailing labs@trustdefender.com.

7 FURTHER INFORMATION

Further information can be obtained from the team at TrustDefender Labs by emailing us atlabs@trustdefender.com.

 

8 APPENDIX FROM “OLD” FEBRUARY 2010 REPORT

8.1 HOW TO DETECT GOZI

8.1.1 MANUALLY

The best way to detect the presence of the Gozi Trojan is to look in the registry for the presence of the Gozi values. They are all consistently present here:

  • Gozi DLL
    • HKLM\System\CurrentControlSet\Control\SessionManager\AppCertDlls
      • (where you’ll find a reference to the Gozi DLL)
  • Gozi configuration
    • HKCU\Software\AppDataLow\{GUID}
      • (where {GUID} is a globally unique identifier)

8.1.2 TRUSTDEFENDER

Of course, TrustDefender will detect Gozi straight out of the box as it will see the Gozi DLL being injected into the Web browser process.

8.2 HOW TO REMOVE GOZI

As Gozi consists only of the one DLL, one can remove Gozi from the system by removing all related registry entries presented in this report. However, since the Gozi DLL is well hidden, it is not really straightforward to delete the Gozi DLL entries.

First, you have to identify the name of the Gozi DLL (e.g. lnksinfo.dll in our case) and then use a utility such as MoveFile from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx) or directly poking the entry with the PendingFileRenameOperations registry key.

After a reboot, the file would have disappeared (you can check with the auto-complete tab trick) and you can verify that the Gozi registry entries are all gone, making your system safe again.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>