Gozi takedown big, but not likely to change threat landscape

The indictment two weeks ago of the alleged masterminds behind the Gozi Trojanwas significant for several reasons, security experts say. But it is not expected to change the malware threat landscape significantly.

As is the case in the drug trade, if one major cartel falls, there are plenty of others to take its place.

The first measure of the importance of the bust was Gozi's success. The U.S. Attorney's Office of the Southern District of New York, in announcing the indictments against three of its creators, called it "one of the most financially destructive computer viruses in history (that) infected over one million computers globally and caused tens of millions of dollars in losses."

Dell SecureWorks, which discovered the Gozi Trojan in 2007, believes the elimination of its creators means it will likely fade away. The three at the top of the Gozi Trojan operation were arrested months or years ago. They all now face multiple charges, including bank, computer and wire fraud.

Don JacksonÃ'Â wroteÃ'Â at the Dell SecureWorks blog this week: "Without active development and support from the Gozi godfather and his indispensable inner circle of co-conspirators, I believe the Gozi threat will cease to evolve and will eventually die through attrition."

The U.S. Attorney's office said Nikita Kuzmin, a Russian national who created Gozi, was arrested in the U.S. in November 2010 and pled guilty before U.S. District Judge Leonard B. Sand to various computer intrusion and fraud charges in May 2011.

Deniss Calovskis, a Latvian national also known as "Miami," who allegedly wrote some of the computer code that made the Gozi virus so effective, was arrested in Latvia last November.

Mihai Ionut Paunescu, a Romanian national known as "Virus," allegedly ran a "bulletproof hosting" service that enabled cyber criminals to distribute the Gozi virus, the Zeus Trojan, and other malware, along with committing other cybercrimes. He was arrested in Romania last December.

Paul Ducklin, writing on Sophos' Naked Security blog, labeled Kuzmin the "COO," Paunescu the "CIO" and Calovskis the "Senior Web Consultant."

Jackson wrote that Gozi was successful largely because it had been "developed clandestinely and operated by a very small group of highly capable and experienced cybercriminals."

But, that was also Gozi's Achilles heel, he wrote. "This structure limited the amount of intelligence that could be gathered, but it also concentrated the technical know-how and capabilities required to run a profitable Gozi operation into a few key individuals," he said.

[Joan Goodchild in the Leading Edge blog: Is your security plan proactive or reactive?]

Security blogger Brian Krebs saidÃ'Â Calovskis's arrest could be significant. Krebs, who has covered different phases of the Gozi Trojan operation, told CSO Online that the arrest of Miami -- if that really is who Calovskis is -- is a "bigger deal" than this version of Gozi dying out.

"I cannot verify whether American prosecutors got the right guy in arresting Calovskis, and of course, all are innocent until proven guilty," he said. "But if prosecutors have in fact arrested Miami, then that is probably the most significant aspect of this case, because his specialty was devising custom injects -- 'plugins' for different malware families that help users of these bot programs target specific financial institutions."

Krebs said Calovskis has been very active creating web injects for other cybercriminal gangs, including Jabberzeus. "I'm not certain which other malware families or crime families Miami has written for, but he was widely known on some of the more exclusive forums, and his arrest seems to be causing consternation there, because no doubt his former clients are probably freaking out," Krebs said.

The bottom line, however, is that this only eliminates the proverbial drop in an overflowing bucket of malware threats. Kevin McAleavey, cofounder and chief architect of the KNOS project, said even if Calovskis is Miami, authorities didn't get what he calls the "actual coder" of the Gozi Trojan itself.

"Calovskis wrote the injector code, but he's not the real coder who did the heavy lifting," he said. "The arrests of the three perpetrators apparently hasn't turned up the actual coder of the Gozi Trojan, and that person is apparently still free to code for someone else who will take their place."

McAleavey added: "[Malware analysts]Ã'Â routinely disassemble malware code to see how it works. So, even without the source, others can recycle major parts of the code from the live samples of Gozi and build a new variant with little difficulty. And there are literally hundreds of other variants out there of different design that will accomplish the same purpose, and elude antivirus detection as readily as Gozi."

"There will be plenty more of these," he said.

Cameron Camp, security researcher with ESET, still sees some positive results from the takedown. "It was an important vector to stop, convincing some criminals at least that it's tougher to get away with this in the face of increasing law enforcement vigilance," he said.

Dr. Hugh Thompson, senior vice president and chief security strategist of Blue Coat Systems, seconds Camp's take. "Any time you can point to an example of where the bad guys are punished, it is a win for our community," he said. "The volume of cybercrime will certainly not be affected by this takedown, but it is a hopeful sign that we can cooperate and bring cyber criminals to justice."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags DellGozi trojanapplicationsData Protection | Malwarelegalsoftwaredata protectioncybercrime

More about Blue Coat SystemsCSODellSecureWorksSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place