Three Charged with Creating, Distributing Gozi Banking Malware

Charges will be brought today in the U.S. District Court for the Southern District of New York against three men allegedly involved with creating and distributing the Gozi banking Trojan. Gozi infected more than a million computers worldwide, including a handful at NASA, leading to tens of millions of dollars in lost banking funds and damages to computer systems and networks.

Charges will be brought today in the U.S. District Court for the Southern District of New York against three men allegedly involved with creating and distributing the Gozi banking Trojan. Gozi infected more than a million computers worldwide, including a handful at NASA, leading to tens of millions of dollars in lost banking funds and damages to computer systems and networks.

Mihai Ionut Paunescu, a Romanian, Deniss Calovskis, a Latvian, and Nikita Vladimirovich Kuzmin of the Russian Federation, are charged with computer intrusion, conspiracy to commit bank and wire fraud and access device fraud. Federal authorities said the three were arrested this week; Kuzmin is being held in New York, while Paunescu is in custody in Romania and Calovskis in Latvia.

Documents outlining the charges against the three men describe schemes involving fraud, identity theft and other illegal online activity dating back to 2007, primarily through the distribution of Gozi. The Trojan’s primary purpose is to steal online banking credentials; the men involved were charged with creating and updating the malware with new functionality, managing its distribution channels, and stealing millions from online bank accounts. They allegedly used the malware to access user names, passwords, account numbers for online accounts primarily in Europe, but recently against a large New York bank, the indictments said.

They’re also being charged with infecting 160 computers at NASA with the Gozi malware, resulting in $40,000 in losses, court documents said.

Gozi is spread generally via infected .PDF attachments. The malware installs itself and is stealthy in nature, avoiding detection by most security software. It rides along on banking transactions, stealing credentials that are used to transfer funds from a victim’s account.

Kuzmin is alleged to be the author of Gozi and it was he who provided access to his co-conspirators to the malware. Chat files obtained in search warrants in 2009, 2010 and 2011 show conversations between Kuzmin and numerous customers looking for malware for particular operating systems and configurations, bank account information and exploits for computers in numerous countries, primarily in Europe.

Several chats show Kuzmin providing customers with links to the malware and lengthy discussions about its functionality and capabilities.

Paunescu, known as “Virus” in court documents, allegedly ran the hosting services serving the malware to victims using machines in Romania, the United States and elsewhere. He allegedly provided IP addresses and servers that would allow his co-conspirators to move the malware and attacks to avoid detection by law enforcement. His hosting infrastructure not only served Gozi, but other banking malware such as SpyEye and Zeus, as well as BlackEnergy malware used to launch distributed denial-of-service attacks, the indictments say. The hosts were also used to deliver spam.

Paunescu’s role in the conspiracy involved allegedly renting servers and IP addresses from ISPs then renting those to cybercriminals, the court documents said. He also operated Gozi command and control servers for botnets and proxy servers used in communication with C&C, authorities allege. He would also monitor IP addresses if they appeared on spam blacklists and relocated attack traffic in such cases. Paunescu was also identified as being behind an attack against a New York bank and the NASA machines.

Calovskis, identified as “Miami” in court documents, allegedly was the group’s coder who wrote the Web injects used in attacks to alter infected websites and trick victims into entering their personal information, including mother’s maiden name, Social Security number, driver’s license number, ATM card number, and more, that was sent via C&C to the co-conspirators and used to steal money from accounts. Calovskis’ Web injects were used not only in Gozi attacks, but Zeus as well, court documents said.

Calovskis allegedly had been involved in the scheme since June 2010 when began distributing Web injects for both Gozi and Zeus.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.