Gozi malware arrests, report highlight Russian cybercrime

Russia's notoriety as a home for cybercriminals was highlighted in the conviction of the creator of the infamous Gozi malware and a new report that found the majority of exploit kits were built in the country.

On Wednesday, federal prosecutors in New York unsealed an indictment that charged Russian national Nikita Kuzmin with creating the Gozi Trojan. The malware infected more than 1 million computers globally and led to 10s of millions of dollars in losses at several major U.S. banks.

On Tuesday, managed security provider Solutionary released a report showing that 70% of the exploit kits reviewed by its Security Engineering Research Team were released or developed in Russia.

"A lot of these exploit kits are not simple little things that script kiddies have written," Rob Kraus, director of research for Solutionary, said. "They are robust applications that almost emulate those of enterprise solutions. There's a lot of time and effort put into these exploit kits to make them profitable."

Almost 60% of the vulnerabilities targeted by the kits are more than two years old, showing that exploiting known vulnerabilities remains a lucrative business.

Russia is home to some of the world's most notorious malware writers and distributors. Lax law enforcement and an economy favoring the wealthy have pushed many computer programmers underground. A large number of the developers build the malware and then sell or rent it to others.

"I think a big part of it is the brilliant mind syndrome," Stuart McClure, chief executive and founder of security firm Cylance, said. "So many talented mathematicians and scientists with few positive applications for that brilliance."

[In depth: Inside the global hacker service economy]

Russian cybercriminals tend to focus on bank fraud, which is why a lot of specialized Trojans like Gozi originate from the country, Ryan Sherstobitoff, senior security researcher for McAfee, said.

"That's why Russia tends to be a malware hotspot (for bank fraud)," Sherstobitoff said. "Most Russian cybercriminals are interested in profit and financial gain, as opposed to stealing state secrets."

In general, 60% to 70% of all malware is aimed at stealing from bank accounts or making illegal fund transfers, Sherstobitoff said.

Kuzmin designed the Gozi Trojan in 2005 and passed along his list of technical specifications to computer programmers to write the source code, according to the indictment. Kuzmin then opened a business called "76 Service" that charged a weekly fee for use of the malware. Buyers could configure it to steal data of their choosing and Kuzmin provided the storage for the data. In 2009, he sold the malware outright for about $50,000 plus a share of the profits.

McAfee believes there could be a connection between Kuzmin selling the malware and another cybercriminal who goes by the nickname vorVzakone planning to use a Gozi variant in a coordinated attack this spring on U.S. banking customers. The timing of the events make them "highly suspicious," Sherstobitoff said.

VorVzakone announced Project Blitzkrieg last September while trying to recruit other criminals on a semi-private, Russian-language underground forum.

Kuzmin was arrested in the United States in November 2010 and pled guilty six months later to a variety of computer intrusion and fraud charges, the indictment said. Two other men involved in the creation and distribution of the Gozi malware were also charged.

Deniss Calovskis, a Latvian national suspected of writing some of the Gozi source code, was arrested in his home country in November 2012. Mihai Ionut Paunescu, a Romanian national suspected of running a hosting service for distributing Gozi and other malware, was arrested in his country in December 2012.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gozi trojanapplicationsData Protection | MalwarelegalsoftwareSolutionarydata protectionRussian cybercrimecybercrime

More about McAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place