Hybrid SSL keylogger malware surfaces

Tier-3 have today announced that a highly dangerous hybridised version of the Russian Gozi virus has surfaced that not only features an integrally-coded keylogger, but has the ability to steal data from an SSL stream. Sunday newswire reports suggest that the keylogger feature is only triggered when an infected PC visits an e-banking Web site.
 
The virus variant was discovered by Don Jackson, a researcher with SecureWorks, who discovered the original Gozi virus in January.
 
Jackson is quoted as saying that this new variant has two new features: a packing utility that hides the virus code and a new keylogging facility.
 
Geoff Sweeney, co-founder and CTO of behavioural analysis software company Tier-3, described the new features as a dangerous new step in virus coding.
 
“It is bad enough that this new version of Gozi can encrypt and rotate its program code to by-pass conventional signature detection, but the fact it can switch a keylogging function on and off when the infected PC reaches an e-banking Web page makes it almost undetectable using conventional IT security technology,” he said. “My understanding of this new version is that behavioural analysis technology is the only way of preventing an infected PC user’s e- banking data from being logged and compromised,” he added.