Gozi Financial Malware Puts the Boots On

Gozi is a financial malware that was the focus of media attention over several months in late 2012 and early 2013. It infected more than 1 million computers around the world, causing tens of millions of dollars in damage. In late 2012, Gozi was part of a planned attack against U.S. banks, and recently, it was reported that the alleged author of the malware was arrested and faces up to 95 years in prison if he is found guilty

It seems that the capture of the alleged author was celebrated all too soon. Banks across the world — and specifically in the United States — have continued to experience Gozi-based fraud well into 2013. Not only that, but it’s actually getting worse.

Gozi Gets Worse

The research team for IBM Security Trusteer has identified a new Gozi variant that infects the Master Boot Record (MBR), ensuring it loads with the operating system after a reboot and remains on the infected system even if the operating system is reinstalled. Even though MBR rootkits are considered highly effective, they haven’t been integrated into a lot of financial malware. One exception was the Mebroot rootkit, which was used to deploy Torpig (aka Sinowal/Anserin).

Due to their strategic placement in the operating system’s kernel, rootkits are difficult to identify and remove. Upon infection, Gozi lurks in the MBR, waiting for Internet Explorer (IE) to be launched. Once IE is detected, the malware injects itself into the process and runs inside the browser. It intercepts traffic and performs Web injections, like most financial Trojans do. In fact, the Gozi variant IBM research detected looks like an old variant that was not previously packaged with the rootkit that was used. This may indicate that a new rootkit is being sold in cyber criminal forums and adopted by malware authors.

Although some rootkits can be removed using dedicated tools, most experts recommend a complete hard drive format to ensure a clean start. Financial institutions should change infected user credentials only after a system format or after the malware functionality is disabled.

IBM Security Trusteer Rapport protects end users by preventing the malware code from injecting into the browser. However, to fully mitigate fraud risk, it is recommended that infected users do format the hard drive, reinstall the operating system, install Trusteer Rapport and receive new credentials to their online banking account.

Etay Maor

Executive Security Advisor, IBM Security

Etay Maor is an Executive Security Advisor at IBM Security, where he leads security and fraud fighting awareness and...