Cenzic 232 Patent
Paid Advertising
web application security lab

Good Writeup On the GOZI Trojan

digi7al64 and Rahul both alerted me to a really good writeup on the Gozi trojan written by Don Jackson. Not only is is a good writeup but it’s extremely thorough on all the details from the transmission to how the code operates, to what it does once installed, etc… etc… Very good writeup indeed. The major scary part about this trojan is that it is specifically designed to steal information that would otherwise be invisible to an attacker due to SSL.

I think my only beef with the writeup (and this is a nit pick, really) is that the example output is from Wireshark instead of a HTTP proxy, so it’s difficult to read what’s going on, and parts of the header are cut off. Wireshark is a great program, it’s just really not ideal for looking at HTTP traffic in an intelligible way (although that could be a nice feature enhancement to it - or even turning it into a HTTP MITM itself). Again, that’s a nit-pick, because this is a great writeup.

2 Responses to “Good Writeup On the GOZI Trojan”

  1. qwertzz Says:

    Love your blog Rsnake.
    Tried looking around for some more information on how Gozi works sniffing SSL data. The writeup mentions something about layered service providers in Winsock2, but does not really go into detail. Any ideas ?

  2. RSnake Says:

    I really don’t know that much about the trojan other than what you see there, although if I had to guess I’d think it would be something like a browser shim, that way you don’t have to subvert the protocol, just the browser.