Keylogging Trojan Dodges Anti-virus Detection

A new variant of the Russian Trojan Gozi is circulating on the Web, this time armed with a keylogging function and the ability to scramble itself so it is difficult to detect by anti-virus software. The new Trojan is believed to have been spreading since April 17 and like the original, which was discovered earlier in 2007, it steals data from encrypted Secure Sockets Layer streams. The latest variant was uncovered May 7 by Don Jackson, a security researcher at SecureWorks in Atlanta. Jackson also found one data cache from the Gozi variant that contained 2,000 new victims and several thousand bank and credit card account numbers, Social Security numbers and other personal information. SecureWorks researchers suspect that this not the only server with stolen Gozi data that exists.

"If you were infected before mid-May, then it will act like a rootkit and hide itself on your PC and will make itself undetectable by most anti-virus software," he said. To remedy this, he suggested that home users reboot their computers in Safe Mode and run an anti-virus scan assuming their anti-virus vendors have a signature for the Gozi variant. The newest instalment of Gozi has a compression component that it uses to uncompress the blocks of code that it needs to run. When it no longer needs those blocks of code, it recompresses them, making it almost impossible to see everything the variant is doing in memory and that much harder for anti-virus scans to detect.

News source: Physorg

Report a problem with article
Previous Story

FastStone Image Viewer 3.3 Beta

Next Story

WinAVI Video Converter 8.0

13 Comments

Commenting is disabled on this article.

pah evan then one care proly still wont see **** its one of the most useless pieces of crapware around if you rely on it then more fool you if you need a good av go check an av testing website oh an nortons and mcstuffies are ust as bad as onecare so stay away from them to

I enjoyed the part...

To remedy this, he suggested that home users reboot their computers in Safe Mode and run an anti-virus scan—if their anti-virus vendors have a signature for the Gozi variant.

well, it appears Microsofts "One Care" won't run in safe mode.

you have to be sh*tting me, their own freaking software doesn't run in safe mode?

*edit*

after a little searching, i've discovered that you have to run safe mode with command prompt, then navigate to the onecare live folder, and run the safemode avs scanner.
i really wish they would have listed the names of the companies that could identify it.

here's a link for those who care...

http://forums.microsoft.com/WindowsOneCare...73&SiteID=2

It probably just disables UAC. I just used a piece of software that does this (a nice one :P) before modding a video card driver, and injecting it back into the msi installer. There was this nice little check box above the 'apply' button.

  • Disable UAC. This prevents a barrage of security dialogs and improves patching speed.

If a driver tool can do this, why not a piece of malicious software?

I'm getting to the point where I don't even want to surf the net on Windows. You never know WTF has been floating around undetected for months.

well i guess if you be vary carefull about what you download (basically avoid shady sites) and keep browser/windows updates updated... you (in most cases) should not worry about much... and if u got a decent firewall (preferably a hardware firewall) ... all in all your fairly safe... and as everyone knows on neowin "you can never have 100percent security".

i would use a different browser than IE as (as im sure you already know) most exploits etc are made for this... so that right there makes a browser like Firefox/Opera (i use Firefox myself) overall better in terms of security in most cases although no browser is perfect.

ThaCrip said,
well i guess if you be vary carefull about what you download (basically avoid shady sites) and keep browser/windows updates updated... you (in most cases) should not worry about much... and if u got a decent firewall (preferably a hardware firewall) ... all in all your fairly safe... and as everyone knows on neowin "you can never have 100percent security".

i would use a different browser than IE as (as im sure you already know) most exploits etc are made for this... so that right there makes a browser like Firefox/Opera (i use Firefox myself) overall better in terms of security in most cases although no browser is perfect.

My setup includes a hardware Firewall, Spyware Blaster, FF with NoScript and KAV7. The only other thing I might do is start using a limited account for everyday use. I don't DL shady stuff, its the viruses embedded in website code that bother me. Guess thats where NoScript does its job