Gozi takedown big, but not likely to change threat landscape
- — 06 February, 2013 14:19
The indictment two weeks ago of the alleged masterminds behind the Gozi Trojanwas significant for several reasons, security experts say. But it is not expected to change the malware threat landscape significantly.
As is the case in the drug trade, if one major cartel falls, there are plenty of others to take its place.
The first measure of the importance of the bust was Gozi's success. The U.S. Attorney's Office of the Southern District of New York, in announcing the indictments against three of its creators, called it "one of the most financially destructive computer viruses in history (that) infected over one million computers globally and caused tens of millions of dollars in losses."
Dell SecureWorks, which discovered the Gozi Trojan in 2007, believes the elimination of its creators means it will likely fade away. The three at the top of the Gozi Trojan operation were arrested months or years ago. They all now face multiple charges, including bank, computer and wire fraud.
Don JacksonÃ'Â wroteÃ'Â at the Dell SecureWorks blog this week: "Without active development and support from the Gozi godfather and his indispensable inner circle of co-conspirators, I believe the Gozi threat will cease to evolve and will eventually die through attrition."
The U.S. Attorney's office said Nikita Kuzmin, a Russian national who created Gozi, was arrested in the U.S. in November 2010 and pled guilty before U.S. District Judge Leonard B. Sand to various computer intrusion and fraud charges in May 2011.
Deniss Calovskis, a Latvian national also known as "Miami," who allegedly wrote some of the computer code that made the Gozi virus so effective, was arrested in Latvia last November.
Mihai Ionut Paunescu, a Romanian national known as "Virus," allegedly ran a "bulletproof hosting" service that enabled cyber criminals to distribute the Gozi virus, the Zeus Trojan, and other malware, along with committing other cybercrimes. He was arrested in Romania last December.
Paul Ducklin, writing on Sophos' Naked Security blog, labeled Kuzmin the "COO," Paunescu the "CIO" and Calovskis the "Senior Web Consultant."
Jackson wrote that Gozi was successful largely because it had been "developed clandestinely and operated by a very small group of highly capable and experienced cybercriminals."
But, that was also Gozi's Achilles heel, he wrote. "This structure limited the amount of intelligence that could be gathered, but it also concentrated the technical know-how and capabilities required to run a profitable Gozi operation into a few key individuals," he said.
[Joan Goodchild in the Leading Edge blog: Is your security plan proactive or reactive?]
Security blogger Brian Krebs saidÃ'Â Calovskis's arrest could be significant. Krebs, who has covered different phases of the Gozi Trojan operation, told CSO Online that the arrest of Miami -- if that really is who Calovskis is -- is a "bigger deal" than this version of Gozi dying out.
"I cannot verify whether American prosecutors got the right guy in arresting Calovskis, and of course, all are innocent until proven guilty," he said. "But if prosecutors have in fact arrested Miami, then that is probably the most significant aspect of this case, because his specialty was devising custom injects -- 'plugins' for different malware families that help users of these bot programs target specific financial institutions."
Krebs said Calovskis has been very active creating web injects for other cybercriminal gangs, including Jabberzeus. "I'm not certain which other malware families or crime families Miami has written for, but he was widely known on some of the more exclusive forums, and his arrest seems to be causing consternation there, because no doubt his former clients are probably freaking out," Krebs said.
The bottom line, however, is that this only eliminates the proverbial drop in an overflowing bucket of malware threats. Kevin McAleavey, cofounder and chief architect of the KNOS project, said even if Calovskis is Miami, authorities didn't get what he calls the "actual coder" of the Gozi Trojan itself.
"Calovskis wrote the injector code, but he's not the real coder who did the heavy lifting," he said. "The arrests of the three perpetrators apparently hasn't turned up the actual coder of the Gozi Trojan, and that person is apparently still free to code for someone else who will take their place."
McAleavey added: "[Malware analysts]Ã'Â routinely disassemble malware code to see how it works. So, even without the source, others can recycle major parts of the code from the live samples of Gozi and build a new variant with little difficulty. And there are literally hundreds of other variants out there of different design that will accomplish the same purpose, and elude antivirus detection as readily as Gozi."
"There will be plenty more of these," he said.
Cameron Camp, security researcher with ESET, still sees some positive results from the takedown. "It was an important vector to stop, convincing some criminals at least that it's tougher to get away with this in the face of increasing law enforcement vigilance," he said.
Dr. Hugh Thompson, senior vice president and chief security strategist of Blue Coat Systems, seconds Camp's take. "Any time you can point to an example of where the bad guys are punished, it is a win for our community," he said. "The volume of cybercrime will certainly not be affected by this takedown, but it is a hopeful sign that we can cooperate and bring cyber criminals to justice."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.