New strain of Gozi virus steals thousands of bank details

A fresh batch of the Russian Gozi virus has spread across the world stealing personal data from thousands of computer users.

The malware variant is similar to the original Gozi virus, which was detected in January, but has two new features. These include a packing utility that encrypts, compresses and deletes sections of the virus code in order to evade detection by signature-based anti-virus software. The Trojan also has an integrally coded keylogging function designed to capture and steal personal data, with the ability to snatch information from encrypted SSL streams.

The keylogging feature is activated when a user on an infected computer visits an e-banking website, according to reports. So far, information compromised by the virus includes bank and credit card account numbers, online payment account details, usernames and passwords.

Don Jackson, a researcher at SecureWorks, uncovered the Trojan variant, which sends the stolen data to a server located in Russia.

"It is bad enough that this new version of Gozi can encrypt and rotate its program code to by-pass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking web page makes it almost undetectable using conventional IT security technology," warned Geoff Sweeney, co-founder and chief technology officer of behavioural analysis software company, Tier-3.

Sign up to our newsletters