Did Feds Defuse Blitzkrieg on Banks?

Gozi Charges May Deter Fraudsters and Planned Attacks
Did Feds Defuse Blitzkrieg on Banks?

The indictment of three suspects allegedly linked to the creation of the Gozi banking Trojan is a sign of progress in the ongoing fight against malware, experts say. And it could help derail plans for a spring blitzkrieg-like attack aimed at U.S. banks.

See Also: IoT is Happening Now: Are You Prepared?

On Jan. 23, federal authorities unsealed indictments against Nikita Kuzmin, a Russian who created the Gozi virus, and two alleged co-conspirators.

Ryan Sherstobitoff, a threat researcher at online security firm McAfee, says these indictments may prove to be a deterrent to fraudsters.

"The charges show cybercriminals that you are not safe in Russia or other former [Soviet] Bloc countries from arrest, and you are not anonymous," Sherstobitoff says. "Eventually, you will get caught, and law enforcement is getting better and better at catching creators of malware variants, even when they are obscure."

The charges also could foil plans for the spring blitzkrieg-like attack researchers at RSA identified in October, he says.

"There could be pressure put on the [alleged] cybercriminals behind Gozi to give up the names of those who used their service," Sherstobitoff says. "It also could reveal who's truly behind Project Blitzkrieg."

Prinimalka and Project Blitzkrieg

In October, RSA identified a Gozi variant it named Prinimalka, and said it was being promoted in underground forums as part of a campaign to recruit 100 botmasters for a coordinated attack against 30 U.S. banks. RSA also said evidence suggested that Prinimalka had been around since 2008 and had been used in previous attacks.

Some security experts were skeptical of RSA's findings and questioned the motivations of the hacker known as vorVzakone, who had openly advertised his request to recruit botmasters. The hacker's lack of discretion raised eyebrows.

But in December, McAfee's Sherstobitoff released new research supporting RSA's findings, lending credence to the attack.

Now Sherstobitoff says the charges against those believed to be the original Gozi's founders could keep vorVzakone from moving forward with his plans. In fact, evidence already suggests momentum behind Project Blitzkrieg has tapered off: Sherstobitoff says no new samples for Prinimalka campaigns have been released since the end of last year.

"Two things could happen," Sherstobitoff says. "One is nothing, since he [vorVzakone] is operating independently and not directly with the three who have been charged." Or, the charges against Gozi's [alleged] creators could suggest investigators are hot on Prinimalka's trail, he says. "He may be too concerned to execute Project Blitzkrieg, because now the creators that he bought the Trojan from have been arrested."

But Limor Kessem, a lead cyber-intelligence expert at RSA, says the gap between Gozi and Gozi-Prinimalka, at this point, is too wide to have an impact on Project Blitzkrieg.

"I think it's completely separate," Kessem says. "Gozi, in itself, is one thing. Prinimalka is a Trojan that is based on Gozi, but it's owned by a separate group."

That said, Kessem, like Sherstobitoff, says it's possible more could be revealed about the gang behind Prinimalka through the charges brought against the alleged Gozi creators.

"We are really hoping there will be a trail of crumbs, and that these three will reveal more," she says.

Gozi Charges

In addition to Kuzmin, these latest charges involve Deniss Calovskis, better known as "Miami," a Latvian coder who allegedly enhanced Gozi; and Mihai Ionut Paunescu, better known as "Virus," a Romanian national who is said to have run a hosting service that allowed cybercriminals to distribute Gozi, Zeus and other malware.

Kuzmin was arrested in the U.S. in November 2010. In May 2011 he pleaded guilty to various computer intrusion and fraud charges. Calovskis was arrested in Latvia in November 2012. Paunescu was arrested in Romania in December 2012.

Kuzmin is said to have created Gozi in 2005, but the Trojan was not discovered until 2007. Like Zeus, Gozi is a keylogger designed to steal personal bank account information, including usernames and passwords, after infecting a user's computer.

Authorities say the virus was distributed to in several different ways, including through infected .pdf documents.

Gozi has been linked to the infection of more than 1 million computers globally and tens of millions of dollars in financial losses.

Kuzmin and his alleged co-conspirators regularly paid others to refine, update and improve Gozi, authorities say. In fact, Calovskis was allegedly hired to develop Web injections that altered how webpages of particular banks appeared on infected computers.

One Web injection Calovskis is allged to have designed altered the customer welcome page of a bank so that the user was prompted to provide additional personal information, such as mother's maiden name, Social Security number, driver's license information and a PIN code, to access the website, authorities found.

76 Service

Unlike the commercial Trojan Zeus, Gozi's distribution and use has remained contained, experts say. But this private Trojan was spread across the Internet and into the hands of cybercriminals throughout the world primarily through a business Kuzmin allegedly started known as 76 Service. The service is believed to have allowed Kuzmin to provide Gozi to co-conspirators and then charge them for maintenance and use.

In 2009, the service was promoted on numerous underground forums for hackers, at which time Kuzim allegedly began selling Gozi outright, giving other hackers the ability to enhance and specialize it.

It's from that outright sale of the Trojan that Sherstobitoff and Kessem believe Gozi Prinimalka was born.

"The timeline supports what we know about Gozi Prinimalka, how it emerged and how Blitzkrieg was announced," Sherstobitoff says. "It's truly possible that it's traceable, even though Gozi is a private Trojan. If it was sold to small group, then the three behind Gozi definitely know the handles, if not the real names, of those who purchased it and enhanced it."

Charges a Positive Sign

Kessem says the takedown of cybercriminals, like the one linked to Gozi, does have a positive impact. "We already see movement away from commercial malware," she says. "We are expecting them [hackers] to be extra, extra careful, and, gladly, they are going to have to take their operations down a bit. It makes too much noise when these Trojans are all over the place."

Prosecutions also serve as a deterrent, because cybercriminals now understand they could be caught and receive jail time.

Sherstobitoff is a bit more skeptical, in that he doesn't see the charges against the alleged Gozi creators having a widespread affect on other botmasters. "I may put a dent in Gozi's development, but I don't think it will cause a dent in cyberoperations."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network