Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Mar 23, 2007

Forensic analysis of a Russian Trojan

The techoes at SecureWorks describe the painstaking forensic analysis of "Gozi", a Trojan horse program on a customer's PC. The Trojan (which was not at first recognized by antivirus packages) was found to be stealing sensitive data (prior to it being encrypted and sent to SSL websites by IE or Javascript) and secretly sending it to a remote server. From there, the stolen information was put up for sale on the black market, along with associated hacking services.

The description, like the Trojan, is complex and technical but makes fascinating reading for IT professionals. The analysts used virtual machines, Safe Mode, a debugger and tools from SysInternals and Wireshark/Ethereal to dissect the beast. Luckily the antivirus companies' tech gurus have the patience and skills to do this kind of analysis on our behalf.

More malware links