Friday, April 19, 2013

New version of Gozi financial malware placed in the MBR


Researchers from the IT company Trusteer discovered a new variant of the banking Trojan Gozi, capable of infecting the master boot record MBR, to avoid detection by antivirus software.

Recall that the MBR is the starting sector of the hard disk that contains the data on the partition of the support sections and information about the installed operating systems. Loading data from the MBR starts before the operating system is loaded with anti-virus software. That's why some sophisticated malicious programs are created based on the work of the MBR. Earlier work from the MBR used such malware as TDL4 or TDSS.

That is why in the operating system Windows 8 Secure Boot feature appeared to protect against zero-sector third-party records. Experts say the malicious placed in an MBR, it is very difficult to find and not all operating systems are in principle capable to handle MBR regular means.


In Trusteer said that although the location of malicious code in the MBR - is an effective way to hide them, like rootkits can not work with the application functions, such as stealing their payments, so they need the modules in the operating system.

New Gozu MBR uses a component that is waiting to start the browser Microsoft Explorer and injects malicious code into workflows browser. This allows the malware to intercept and analyze traffic to a web sessions, just as do other Trojans.

"The fact that the new version of Gozi appeared, said that cyber criminals continue to use this malicious code to implement the illegal schemes. New version is very similar to the old one, but it has the MBR-component," - said in a Trusteer.

The company said that not all antivirus programs are capable of detecting a threat in the MBR.

No comments:

Post a Comment