Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Gozi Trojan Steals SSL Encrypted Data for Fun and Profit

Published: 2007-03-23
Last Updated: 2007-03-24 01:16:18 UTC
by John Bambenek (Version: 1)
0 comment(s)
A few days ago Secureworks had a good write up on the Gozi trojan (thanks to ISC readers Bob and BB for pointing it out). This Russian malware beauty was doing the rounds and went undetected for some time. An estimate says the black market value of the data stolen is $2 Million. It spread through IE web browser exploits and was able to steal SSL encrypted traffic using Winsock2. The days of the keylogger look to be over, the game got more interesting.

Basically, what this malware did was insert itself between Internet Explorer and the socket used to send data.  It then stole the data prior to encryption and sent it to your happy local Russian hacker. While (I believe) this is the first real slick attempt to steal SSL data by inserting a listener to take the data pre-encryption, the technique is not new.  In fact, I wrote about this same tactic almost 2 and half years ago.

Encryption is meaningless if one of the endpoints of the communication is compromised. If you tunnel your transaction over SSL to a vendor who happily takes your data and sells it, the SSL won't help you.  The same goes true for home PCs which according to any definition of security are completely untrustworthy. There are plenty of techniques to grab data before it is encrypted. The neanderthal way is to use a keylogger. Now there are other techniques in use.

Until we find a way to get consumer PCs secure, or better yet, find a way for private financial data to be transmitted through a PC without the untrusted PC being able to compromise it, no electronic financial transaction will be secure. If the home PC isn't secure, all the encryption in the world won't help.

UPDATE: ISC Reader Nick suggests "Man at the Endpoint" as a name for this kind of attack.

--
John Bambenek / bambenek (at) gmail.com
University of Illinois at Urbana-Champaign
Keywords:
0 comment(s)
Diary Archives