Gozi is a financial malware that has been the focus of media attention in the past several months. It infected more than one million computers around the world, causing tens of millions of dollars in damages. In late 2012 Gozi was part of a planned attack against US banks and recently was reported that the Gozi author was arrested and faced up to 95 years in prison, if convicted.
It seems that the apprehending of the Gozi author was celebrated all too soon. Banks across the world and specifically in the US continue to experience Gozi-based fraud. Not only that, but it’s actually getting worse. Trusteer’s security team has identified a new Gozi variant that infects the Master Boot Record (MBR) ensuring it loads with the operating system after a reboot and remains on the infected system even if the operating system is reinstalled.
Even though MBR rootkits are considered highly effective they haven’t been integrated into a lot of financial malware. One exception was Mebroot rootkit that was used to deploy Torpig (aka Sinowal / Anserin). Due to their strategic placement, in the operating system’s kernel, rootkits are difficult to identify and remove. Upon infection, Gozi lurks in the MBR waiting for Internet Explorer (IE) to be launched. Once IE is detected, the malware injects itself into the process and runs inside the browser. It intercepts traffic and performs web injections like most financial Trojans do. In fact, the Gozi variant Trusteer research detected looks like an old variant that was not previously packaged with the rootkit that was used. This may indicate that a new rootkit is being sold in the cybercriminals’ forums and is adopted by malware authors.
Although some rootkits can be removed using dedicated tools, most experts recommend a complete hard drive format to ensure a clean start. Financial institutions should change infected user credentials only after a system format or after the malware functionality is disabled. Trusteer Rapport protects end users by preventing the malware code injection into the browser. However, to fully mitigate fraud risk it is recommended that infected users do format the hard drive, reinstall the O/S, install Trusteer Rapport and receive new credentials to their online banking account.