Warning: Found new way for steal data encrypted using SSL/TLS
0 views
Skip to first unread message
Shawn
Mar 26, 2007, 10:06:34 AM3/26/07
to SecAudit
Russian malware authors are finding new ways to steal and profit from
data which used to be considered safe from thieves because it was
encrypted using SSL/TLS. Originally, this analysis intended to provide
insight into the mechanisms used to steal that data, but it became an
investigation into the growing trend of malware sold not as a product,
but as a service. Eventually it lead to an alarming find and resulted
in an active law enforcement investigation.
data which used to be considered safe from thieves because it was
encrypted using SSL/TLS. Originally, this analysis intended to provide
insight into the mechanisms used to steal that data, but it became an
investigation into the growing trend of malware sold not as a product,
but as a service. Eventually it lead to an alarming find and resulted
in an active law enforcement investigation.
A single attack by a single variant compromises more than 5200 hosts
and 10,000 user accounts on hundreds of sites.
Steals SSL data using advanced Winsock2 functionality
State-of-the-art, modularized trojan code
Spread through IE browser exploits
Undetected for weeks, months by many AV vendors
Customized server/database code to collect sensitive data
Customer interface for on-line purchases of stolen data
Accounts compromised by stealing data primarily from infected home
PCs
Accounts at top financial, retail, health care, and government
services affected
Data's black market value at least $2 million
There are two other known variants. New variants, similar attacks
inevitable.
Full disclosure here:
http://www.secureworks.com/research/threats/gozi
Shawn
Reply all
Reply to author
Forward
0 new messages