Gozi is thought to have infected more than a million computers, and caused tens of millions of dollars in damage. But back in January 2013 the FBI unsealed indictments against three individuals concerned with the development and distribution of the Gozi malware. At the time it was considered a major blow to one of the world’s most dangerous trojans – the Christian Science Monitor went so far as to suggest, “it may be too hard to operate with the alleged masterminds in jail.”
It appears not. Trusteer has now detected a new deployment that infects computers’ master boot record, meaning that it loads with the operating system after every reboot, and even survives a re-installation of the OS. “Upon infection,” Etay Maor noted in a company blog post yesterday, “Gozi lurks in the MBR waiting for Internet Explorer (IE) to be launched. Once IE is detected, the malware injects itself into the process and runs inside the browser. It intercepts traffic and performs web injections like most financial Trojans do.”
The new variant seems to be an old version of Gozi – perhaps indicating that further development of the malware has indeed been stymied by the arrests. Other actors would appear to have taken the existing software and built it into a rootkit – a rare but not unknown occurrence with financial malware. Unfortunately, this makes it more dangerous than ever since rootkits, by their very nature, are difficult to detect and very difficult to remove.
ESET’s David Harley points out that rootkits and bootkits are hard to implement, but are not going away. “Caphaw/Shylock is a bank-targeting Trojan with an MBR module, and Gapz is very sophisticated,” he told Infosecurity. The impact of Gapz is low so far, but Harley expects some of the techniques it pioneers to be built into other malware.
This type of malware tends to lurk either in the MBR or device drivers on a Windows system, and can “by definition only be found by the capture and analysis of volatile data (RAM),” former Scotland Yard detective and now global security consultant for Damballa, Adrian Culley, explains. “Generally it will have replaced hooks, handles and DLLs.” He added, “There are some great free tools which let you capture RAM, such as AccessData Imager, and Guidance Software/Tableau's TIM – but the subsequent analysis is another undertaking altogether, probably best with proprietary tools.”
“Although some rootkits can be removed using dedicated tools,” adds Maor, “most experts recommend a complete hard drive format to ensure a clean start.”