Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

New version of Gozi banking Trojan can create P2P botnet

April 8, 2016

Instead of contriving brand new banking Trojans, attackers prefer to modify old versions of popular financial malware programs. Thus, Doctor Web security researchers discovered a new modification of Trojan.Gozi, a banking Trojan whose source code became publicly available some time ago.

This malware, which runs on 32- and 64-bit Windows, is able to carry out a wide range of malicious activities. Thus, it can steal information entered by the user into web data forms and perform web injections and keylogging functions. In addition, the Trojan is also designed to get remote access to the user’s machine by means of Virtual Network Computing (VNC). Moreover, upon a command, the Trojan can run the SOCKS proxy server and download and install various plug-ins.

#drweb

Like many other today’s malware programs, Trojan.Gozi uses domain generation algorithm (DGA) to determine its C&C server addresses. It downloads a text file from the NASA server, used as a glossary, from the server and modifies it regarding the current date, so that the malware can then generate domain names of its control servers. Every 15 days, the Trojan connects to a new C&C server. All information sent and received by the malware is encrypted.

However, Trojan.Gozi has a new feature: it can generate P2P botnets, which allows the Trojan to transmit encrypted information directly to the infected machines.

All the mentioned-above functions, especially the Trojan’s ability to perform web injections, are used to steal various confidential data from the user’s computer, including login credentials to access online banking systems. Dr.Web successfully detects and removes Trojan.Gozi, and, therefore, this malicious program poses no threat to our users.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040