Gozi is a financial malware that was the focus of media attention over several months in late 2012 and early 2013. It infected more than 1 million computers around the world, causing tens of millions of dollars in damage. In late 2012, Gozi was part of a planned attack against U.S. banks, and recently, it was reported that the alleged author of the malware was arrested and faces up to 95 years in prison if he is found guilty

It seems that the capture of the alleged author was celebrated all too soon. Banks across the world — and specifically in the United States — have continued to experience Gozi-based fraud well into 2013. Not only that, but it’s actually getting worse.

Gozi Gets Worse

The research team for IBM Security Trusteer has identified a new Gozi variant that infects the Master Boot Record (MBR), ensuring it loads with the operating system after a reboot and remains on the infected system even if the operating system is reinstalled. Even though MBR rootkits are considered highly effective, they haven’t been integrated into a lot of financial malware. One exception was the Mebroot rootkit, which was used to deploy Torpig (aka Sinowal/Anserin).

Due to their strategic placement in the operating system’s kernel, rootkits are difficult to identify and remove. Upon infection, Gozi lurks in the MBR, waiting for Internet Explorer (IE) to be launched. Once IE is detected, the malware injects itself into the process and runs inside the browser. It intercepts traffic and performs Web injections, like most financial Trojans do. In fact, the Gozi variant IBM research detected looks like an old variant that was not previously packaged with the rootkit that was used. This may indicate that a new rootkit is being sold in cyber criminal forums and adopted by malware authors.

Although some rootkits can be removed using dedicated tools, most experts recommend a complete hard drive format to ensure a clean start. Financial institutions should change infected user credentials only after a system format or after the malware functionality is disabled.

IBM Security Trusteer Rapport protects end users by preventing the malware code from injecting into the browser. However, to fully mitigate fraud risk, it is recommended that infected users do format the hard drive, reinstall the operating system, install Trusteer Rapport and receive new credentials to their online banking account.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…