digi7al64 and Rahul both alerted me to a really good writeup on the Gozi trojan written by Don Jackson. Not only is is a good writeup but it’s extremely thorough on all the details from the transmission to how the code operates, to what it does once installed, etc… etc… Very good writeup indeed. The major scary part about this trojan is that it is specifically designed to steal information that would otherwise be invisible to an attacker due to SSL.
I think my only beef with the writeup (and this is a nit pick, really) is that the example output is from Wireshark instead of a HTTP proxy, so it’s difficult to read what’s going on, and parts of the header are cut off. Wireshark is a great program, it’s just really not ideal for looking at HTTP traffic in an intelligible way (although that could be a nice feature enhancement to it - or even turning it into a HTTP MITM itself). Again, that’s a nit-pick, because this is a great writeup.