Russian Trojan Built To Bypass Banking SecurityRussian Trojan Built To Bypass Banking Security

A Trojan that is reportedly feeding information from 10,000 stolen records to a Russian crime ring was specifically designed to circumvent financial institution's safeguards.

The malware writer designed the malicious code with components geared to bypass the multifactor authentication protections that financial institutions generally use, according to a spokesman for SecureWorks, which first discovered the Trojan. Calling it a "novel approach," the spokesman said they have notified the financial community to be on the look out for a continuing or similar attack.

Analysts at SecureWorks said the Trojan, named Gozi, has been stealing personal information since Dec. 13, 2006. The malicious code, which had gone undetected for about 50 days, has stolen 10,000 records containing the personal information from roughly 5,200 people. A spokesman for the security company said in an e-mail to information that their analysis showed that the stolen information included more than 2,000 Social Security numbers.

SecureWorks also reported that the data was obtained through compromised banking applications, student portals, online job applications, tax return electronic filing applications, government HR applications, and infected online call centers.

"Another interesting aspect is that several of the banks whose clients were compromised had multifactor authentication protections in place," the spokesman wrote in the e-mail. "However, the information Gozi captured enabled one to circumvent the protections and in a relatively easy fashion."

The stolen records included account numbers and passwords from clients of many of the top global banks and financial services companies and major U.S. retailers, reported the spokesman, who added that the hacker's receiving server also contained information and employee login information for confidential government and law enforcement applications.

The data was reportedly being offered for sale by Russian hackers for more than $2 million.

Don Jackson, a researcher for SecureWorks, said in an online advisory that many home PCs became infected when users visited popular community forums for hobbies and online games.

SecureWorks notified a U.S. law enforcement agency in February and has been working to aid the investigation, the spokesman said.

The Gozi mothership server is located on a Russian-owned business network with a history of slow, uncooperative, or nonexistent response to takedown requests, Jackson wrote in the advisory, calling the network a "haven" for people running Trojan, spyware, or phishing kits. The Russian subscription service selling the stolen data was taken down as of March 12, SecureWorks reports. The server, though, is still up and running, and receiving any stolen data that the Trojan is capturing.

The rate of new infections appears to be slowing down considerably, said Jackson.

An advisory on the U.S.-CERT Web site notes that while new and sophisticated exploits can be difficult to defend against, keeping antivirus software updated can significantly aid in the fight. The agency also suggests a series of steps for securing Web browsers.