Tag Archives: trojan

Gozi – a perfect example of an “older” trojan re-inventing itself

Executive Summary

Gozi is a well known Trojan that has been around for a number of years now. However, we have recently encountered a new wave of Gozi variants and feel that this is a great opportunity to look at this sophisticated Trojan and how it has evolved over the last few years.

Gozi has always been associated with a Russian heritage and was once part of the notorious, russion cyber crime operations. The last significant wave of Gozi Trojans was back in 2007/2008 and at that time Gozi’s feature list was more than impressive. According to SecureWorks who did an in-depth analysis of the Trojan at that time, Gozi’s features included:

  • Advanced Winsock2 functionality employed to steal SSL data
  • State-of-the-art, modularized Trojan code
  • Ability to spread through IE browser exploits
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Victims included accounts of top financial, retail, health care, and government services
  • Data’s black market value of at least US$2 million
  • Ability to remain undetected for weeks or months by many AV vendors

As you can see, one of the most impressive features was the way Gozi was able to hide on a system and stay undetected for a long period of time, ultimately allowing it to carry out its nasty work undisturbed.

In this in-depth report, we will look at the new variant of Gozi, and how it has improved Gozi’s renowned stealth behaviour even further. We also look at how Gozi will does its dirty work and present details of the inner workings of this malware. As always, the report will also contain instructions relating to the detection and removal of this nasty threat.


We analysed a number of Gozi samples and all of them were delivered as drive-by-infections, either via malicious PDF documents or via exploit kits (such as Justexploit).

Malicious PDF document

We witnessed a number of Gozi Trojans distributed via malicious PDF versions. We specifically looked at a PDF with MD5 b72163b1d5fbc0f2e88e984bf0ac601e, which exploits a buffer overflow in Adobe Acrobat Reader (CVE-2007-5659). The only goal of the malicious PDF is to download the “real” Gozi sample called update.exe with MD5 cd4d37ea17007cbdfa0d9cc96b5fc1dc.

This sample has successfully evaded detection by all Antivirus Engines with a VirusTotal detection of 0% on Jan 25, 2010! This only attests to the sheer ability of Gozi to conceal itself.

This Trojan seems to achieve one of the worst detection rates we have encountered, which is quite extraordinary considering that Gozi itself has been around for such a long period of time. Even within 10 days the detection rate of Gozi was still only 65% which is interesting as all participating Antivirus Engines receive the samples that they won’t detect.

Justexploit kit

The samples we analysed from drive-by-infection kits had a slightly better VirusTotal antivirus rating with 27% (11/41) detection on Jan 28, 2010 (http://www.virustotal.com/de/analisis/17fcef4a88cfc950a62d2c79e1670cc9b9d742cd4ea3310e0df337fef7451ed8-1264637346)

Please note that Justexploit, a common feature of today’s exploit kits, uses geographic distribution. This means the bad guys will only infect people they want to infect (targeted regions). In this particular case we could confirm that the installation process was fine in Australia, UK, Germany and the US.


After the sample is executed, Gozi installs itself in the system in a very sophisticated way that fools most traditional security solutions and additionally deletes the installer file from the hard drive.

The Gozi Trojan consists of a DLL that is injected into every single process. Gozi employs a pretty unknown procedure of registering the DLL within the AppCertDlls subkey of HKLMSystemCurrentControlSetControlSessionManager key of the registry. By doing this, Gozi is notified and automatically loaded into every single process that is started on the computer from the windows kernel (kernel32.dll).

This method is a very innovative approach and by utilising such a highly unknown feature, many security solutions that check automatically started programs (e.g. through the Run registry) will miss this infection.

The associated filenames seem to be semi-random and in our case we saw krnlbkup.dll and lnksinfo.dll. Both files reside in the system32 folder of the windows directory (c:windowssystem32).

File System Stealth

See in-depth report

Registry changes

See indepth report

Process hooks

See indepth report

The C&C communication

See indepth report

Gozi C&C server

See indepth report

Gozi configuration file

See indepth report

Functionality of Gozi

Keylogging / Network sniffing

One of the main functionalities of Gozi is to steal any data that is transmitted over the internet. Gozi will not employ keylogging techniques to do so, but rather look at any POST request that are sent to the internet from the computer and will send the interesting content to the Gozi C&C server.

As Gozi is running as part of the Internet Explorer process, it has full control of the data BEFORE it is encrypted and therefore Gozi can get access even to the SSL encrypted data. Naturally this included websites with EV-SSL certificates as well.

The following example shows the Gozi traffic for a login attempt with Bank of America. Firstly we see the use of EV-SSL in the browser, as depicted below:

After the Online ID is entered by a user and the “Sign In” button is clicked, the following internet reqest can be seen sending to the Gozi C&C server:

Please note that we used a fake online ID 123123123 and chose NV as the State, as captured by Gozi in the above snapshot.

The next step of Bank of America’s two-step login procedure will then allow Gozi to intercept the password, as can be seen in the following request capture:

As you can see, we used mypassword as a password and this too was captured by Gozi.


Gozi has the ability to install a SOCKS proxy on the machine. On both installations, this did not happen and no backdoor was installed. (The HTTP C&C parameter socks was equal 0). If a SOCKS proxy is installed, the C&C server is notified by the listening port of the SOCKS proxy in the socks HTTP parameter.

A SOCKS proxy enables an attacker to relay any internet traffic through a victim’s machine and therefore evade geographic or public IP risk mitigation strategies.

Real-time functionality / HTML injection

Gozi has learned from the past and has adapted to some authentication improvements by financial institutions in the past. It does not only have the ability to statically send keystrokes or POST credentials to the C&C server; it can also alter the HTML of the current page.

Gozi accomplishes this by using the configuration file and either statically inject the HTML from the configuration file or dynamically downloading HTML chunks to accommodate whatever it needs to do. Gozi will firstly identify the financial institution using its URL and will then make a request to its C&C server in real-time for additional instructions.

As the analysed Gozi sample has only Swiss banks in the configuration, let’s look at a login attempt to Credit Suisse:

When the user is clicking on Login, the following internet traffic can be seen:

The Gozi Trojan will make a request to the C&C server with the following format:

  • GET /1.pl?<BANKID>&<id>, where
    • <BANKID> represents different targets based on the configuration file. Four different targets have been confirmed in this analysis, however this can easily change as part of the configuration file
  • depending on the <id> parameter, different HTML chunks will be delivered.

After the 1.pl request is completed, Gozi will send “as normal” the login credentials to the C&C server

Upon first analysis, Gozi will do this for all financial institutions that have some kind of challenge/response or use some additional authentication mechanism (such as banks with the RSA token)

For all C&C communications where the URL matched a financial institution from the configuration file, the response from the Gozi C&C is always “/home/system/data/base_cur/fastlogs/ok!”

It even includes compromised account details

See indepth report

History and Improvements of Gozi over time

Based on the previous research of SecureWorks relating to the older samples of Gozi, (http://www.secureworks.com/research/threats/gozi/), we can see great improvements of this threat over time.

In 2007 and 2008, all Gozi samples we found were executables that were running as a proper process on the system (such as x_ymvb.exe or xrt_ohcq.exe in the %UserProfile% directory). They were loaded for every Windows startup through inclusion into the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun registry key.

This had some obvious disadvantages, namely that the Gozi process was clearly visible to traditional security scanners. As such, Gozi had to work very hard to get access to the internet traffic produced by the web browser. This was summarised in the below SecureWorks analysis:

The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider) using the Winsock2 SPI (Service Provider Interface). It “goes in between” Internet Explorer and the socket used to send the data. This is consistent with reading/enumeration of registry keys having to do with network interfaces, zones, and namespace providers. This is the mechanism used to bypass SSL/TLS and intercept the network data on the fly, before it is encrypted.

This new version of Gozi does not run as its own process, but rather as a DLL that is injected into the web browser process. Furthermore it is uses a highly unknown way of making sure it gets injected into every process as a means of ensuring increased effectiveness.

This also removed the need for a LSP interface at all as LSP is known to be very unstable.

These improvements were clearly made to allow Gozi to stay hidden in stealth like mode on the system and to ensure Gozi is not easily detected by traditional security scanners.

How to detect Gozi


The best way to detect the presence of the Gozi Trojan is to look in the registry for the presence of the Gozi values. They are all consistently present here:

  • Gozi DLL
    • HKLMSystemCurrentControlSetControlSessionManagerAppCertDlls
      • (where you’ll find a reference to the Gozi DLL)
  • Gozi configuration
    • HKCUSoftwareAppDataLow{GUID}
      • (where {GUID} is a globally unique identifier)


Of course, TrustDefender will detect Gozi straight out of the box as it will see the Gozi DLL being injected into the Web browser process.

How to remove Gozi

As Gozi consists only of the one DLL, one can remove Gozi from the system by removing all related registry entries presented in this report. However, since the Gozi DLL is well hidden, it is not really straightforward to delete the Gozi DLL entries.

First, you have to identify the name of the Gozi DLL (e.g. lnksinfo.dll in our case) and then use a utility such as MoveFile from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx) or directly poking the entry with the PendingFileRenameOperations registry key.

After a reboot, the file would have disappeared (you can check with the auto-complete tab trick) and you can verify that the Gozi registry entries are all gone, making your system safe again.

Further Information

Further information can be obtained from the team at TrustDefender Labs by emailing us at labs@trustdefender.com.

URLZone – a disaster waiting to happen

indepthreport-availableThanks to an effective PR strategy, most probably everybody has heard about URLZone by now. If not, you can find out more information regarding URLZone here or here.

We have been talking about it for some time and we already witnessed a few Trojans already using this technique. However, URLZone (or Bebloh) is now the first Trojan to come up with a professional setup to steal money from your account. Not only does it completely control your internet banking session, but it also automatically performs wire transfers to mule money accounts. If this isn’t bad enough, URLZone will then manipulate your online account statement to offset the fraudulent transaction (it can also remove the transaction or change the amount). The first time a victim would become aware of the fraudulent transaction(s) may be weeks or even months later – when they receive their paper statement in the mail! (that is if they get a paper statement at all… Lots of banks are trying to get rid of it altogether!)

Although real-time and session-based Trojans have been around for quite a while, they weren’t used in such a sophisticated way. An example was Yaludle (a Silentbanker variant), which injected HTML into the website that was dynamically retrieved from the web in real-time!

At the moment, only German banks are part of the URLZone configuration, but the bad guys can change the configuration at any second. Attacks against German online banks have always been very sophisticated simply because the German banks have employed one-time-password mechanisms (so called transaction numbers or TAN’s) for many years. Now the bad guys have found their way around it these mechanisms using such sophisticated techniques.

First generation attacks employing such Trojans saw the bad guys inject HTML code into the online banking login page to gather TAN’s in classical phishing attempts.

Then we saw more sophisticated attacks using variants of the well-known Bzub Trojan, which had the ability to perform wire transfers and remove them from the account statement.

Now we have URLZone doing silent wire transfers in the background and changing the online account statement.

Only as a result of the big amounts that these Trojans are fraudulently stealing are we beginning to hear about URLZone in the news, such as the recent $447,000 USD heist at Ferma in California, USA. While the manager had issued legitimate payments, the program initiated a further 27 transactions to various bank accounts, siphoning off a total of $447,000 USD in a matter of minutes. “They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit,” says Roy Ferrari, Ferma’s President (http://www.technologyreview.com/computing/23488/?a=f).

Another high-profile case was the gigantic Zeus botnet of recent, that also resulted in large amounts being stolen, such as the $415,000 USD heist at Bullitt County, Kentucky (http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html).

And let’s not forget Signs Designs Inc who also recently lost close to $100,000 USD in similar attacks (http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html).

In light of the above, I want to point out a few notes:

  • Firstly – The problem has been around for a long time and it seems that people are only doing something about such threats when they are large enough to be mentioned in the press. That’s exactly what the intelligent botnets such as Mebroot/torpig are exploiting. By staying under the radar and not being too greedy they can do their dirty work and don’t have to worry about consequences. Their motto seems to be: Just keep the security industry busy with non-threats like conficker and they won’t hassle you.
  • Secondly – This type of attack cannot be solved with 2-factor authentication.
  • Thirdly – While there is much hype around URLZone at the moment around how amazing and disturbing it is that the bad guys can do such things, we will always have this problem if the bank’s security and the user’s security systems are not connected.
  • Fourthly – While the Trojan is very, very sophisticated and advanced on the delivery side, they have made it incredibly easy for the good guys to catch them. Don’t expect this to happen in the future with new variants. We are still at the beginning…

One further thing to note is that since all real-time, session-based Trojans need to talk to a C&C server during the banking transaction, just one of TrustDefender’s many layers of protections will fully protect you against such attacks. Our “Secure Lockdown” knows all internet requests that belong to the financial institution and will block everything else while you are in a banking transaction. This will always protect you for all Trojans that work on this principle, not just for the likes of URLZone.

In addition, our Forensics Engine will also pick up the URLZone Trojan itself and will alert you of the infection, while also automatically disabling it for the period of the transaction. This will ensure you are always Safe and Secure while transacting online.

Due to popular demand, we have put together an in-depth TrustDefender Labs report about URLZone, which you can request by sending an email to labs@trustdefender.com. The in-depth report features the complete inner workings, together with an analysis of the configuration file and forensics information.

Silentbanker reloaded

indepthreport-availableIt’s been a while since we last looked at and analysed a Silentbanker Trojan in October 2008 and we have written about it on our blog at http://www.trustdefender.com/blog for some time.

The last couple of weeks/months have been quiet for Silentbanker, but now Silentbanker is back in action, very alive and kicking. We now have another detailed look at these new variants, how they now operate and how they have continued to evolve from last year.

The interesting fact is that it hasn’t evolved that much and they haven’t included too many new features. This is partly because the Silentbanker Trojan has already an impressive list of features, including HTTP(S) form sniffing, network tracing, session hijacking and html web injection capabilities.

The Silentbanker Trojan will only affect Internet Explorer and not any other Browsers as it is implemented as a Browser-Helper-Object (BHO).

However compared to the new top dogs who have stepped up the pace and gained extensive publicity such as Zeus, Mebroot/Torpig or Clampi, it seems nowadays the Silentbanker Trojan is a fairly average sophisticated Trojan, as Silentbanker only employs basic rootkit techniques, uses no encryption for upload of the stolen data and has a fairly basic C&C infrastructure. This – however – doesn’t mean that Silentbanker is not up to the task. It just shows how much innovation the bad guys have shown for the other Trojans.

But as the Silentbanker Trojan is completely silent and won’t slow down the computer at all, most users will not find any suspicious behaviour and we assume that it was very effective especially in its first couple of weeks of operation.

In conclusion, it becomes pretty obvious that the Silentbanker Trojan has fallen behind the likes of Mebroot/Torpig, Clampi or Zeus in terms of sophistication. While this may be perceived as good news, the bad news is that this means that the employed techniques still work and on top of that that the creators will for sure enhance the Silentbanker Trojan in the future. Watch this space…


We analysed the Silentbanker dropper with MD5 of e1e2b3389dd2e020ae2783b8c6c80a08 which had a Virustotal detection of 12/41, 29.27% (http://www.virustotal.com/analisis/112946f35cf76ed853b44aeaf837cc5c9ad15722e46637e3af1f82b4b122f41b-1252598004)

The inner workings haven’t changed too much from the Silentbanker Trojans we analysed around the same time last year in October 2008.
The dropper will install a Brower-Helper-Object (BHO) and register its payload dll into the Internet Explorer. The payload was in our case mscorewr.dll (in c:windowssystem32 folder) with a Virustotal detection of 9/41, 21.95% (http://www.virustotal.com/analisis/7b062ddb9dbc50cea53b98df892d4ceac003ece8551976085bd7ff57d5a5c664-1252582306).

The Silentbanker Trojan comes with a hard-coded C&C server which in our case was businessrest.cn (

Usermode hooks

Once the Silentbanker Trojan is active in memory (basically when the Internet Explorer starts), it will setup export hooks, so that it gets access to all transmitted internet traffic and to much more information.
Now, all sophisticated Trojans will hook core windows functions to compromise the system. Our Silentbanker Trojan hooked (or redirected) among others the following core windows functions: (full details available in the in-depth report)

  • HttpOpenRequestA/W
  • HttpSendRequestA/W
  • InternetConnectW
  • InternetReadFile
  • InternetReadFileExA/W
  • InternetWriteFile
  • CommitUrlCacheEntryA/W

As you can see, it basically hooks all Internet related functions to get access to the Internet Traffic (even though it might be encrypted with SSL or EV-SSL!)

These usermode hooks enable the Trojan to do its dirty work.

HTML Web injection

The Silentbanker Trojan has also the capability to inject any arbitrary HTML code into a website and it makes use of this mainly to get additional information from the user. The disturbing fact is however that this is also possible with HTTPS together with EV-SSL certificates. This way, the website looks legitimate from all angles. The URL is correct, the SSL certificate is fine and the green bar is shown. The reason is that the website actually comes from the legitimate site; however the Silentbanker Trojan will locally inject its malicious HTML code to the site. The code depends for each financial institution and is part of the configuration file.

A few examples are:



How to detect the Silentbanker Trojan

As the Silentbanker Trojan is a Browser-Helper-Object (BHO), you’ll see it appearing in the “Manage Add-ons” option of the Internet Explorer (From the Menu, choose “Tools” and then “Manage Add-ons”).
In our case the Trojan was called “mscorewr” and pretended to be a “Macrovision” component.

How TrustDefender protects you

As you would expect, TrustDefender protects you against Silentbanker from the very first second. TrustDefender employs a defence-in-depth strategy, and we are happy to say that every single component alone will protect you against Silentbanker.

  • Malicious BHO
    TrustDefender will automatically protect you from malicious Browser-Helper-Objects and makes sure that those components cannot penetrate the current session
  • Usermode Hooks
    As described before, this is how Silentbanker will get access to all its information. TrustDefender’s Forensics Analysis will pick up these hooks and disables these hooks for the current session
  • Secure Lockdown
    As Silentbanker works in realtime and will send the stolen credentials to its C&C server at the time of login, TrustDefender will automatically block this request as the Secure Lockdown will only allow internet requests that are associated with the current webservice (e.g. online bank).

Further Information

Further information can be obtained from the team at TrustDefender Labs. Just email us at labs@trustdefender.com.