SecureWorks discovers Russian trojan, cache of stolen data from 15,000 users

A new trojan with multiple variants and the ability to get around SSL protection and circumvent multifactor authentication has managed to steal authentication information for accounts of more than 300 companies and government organizations, a researcher with SecureWorks told SCMagazine.com today.

Researcher Don Jackson found the worm after a friend received a suspicious message from a large online financial organization in January 2006. His favor for a friend lead him to investigate a stealthy new Russian trojan named Gozi and a repository of stolen information from more than 5,200 home PC users and 10,000 account records — including names and password information for top global banks, retailers, government organizations and law enforcement systems.

"When we looked at the PC, there were several pieces of malware, but one of them wasn’t being detected at all," Jackson said. "So that prompted an analysis of the code itself. In analyzing the code, we realized it was communicating out to a certain IP address, and after the code analysis was complete, I was very interested in the server address."

Jackson and his colleagues were then able to gain access to the data stored on the server.