Skip Links

Gozi takedown big, but not likely to change threat landscape

With Gozi's masterminds indicted, the Trojan has probably run its course. But like with drug cartels, when one falls another rises up

By Taylor Armerding, CSO
February 06, 2013 07:26 AM ET

CSO - The indictment two weeks ago of the alleged masterminds behind the Gozi Trojan was significant for several reasons, security experts say. But it is not expected to change the malware threat landscape significantly.

[ALSO: 15 of the worst data breaches]

As is the case in the drug trade, if one major cartel falls, there are plenty of others to take its place.

The first measure of the importance of the bust was Gozi's success. The U.S. Attorney's Office of the Southern District of New York, in announcing the indictments against three of its creators, called it "one of the most financially destructive computer viruses in history (that) infected over one million computers globally and caused tens of millions of dollars in losses."

Dell SecureWorks, which discovered the Gozi Trojan in 2007, believes the elimination of its creators means it will likely fade away. The three at the top of the Gozi Trojan operation were arrested months or years ago. They all now face multiple charges, including bank, computer and wire fraud.

Don Jackson wrote at the Dell SecureWorks blog this week: "Without active development and support from the Gozi godfather and his indispensable inner circle of co-conspirators, I believe the Gozi threat will cease to evolve and will eventually die through attrition."

The U.S. Attorney's office said Nikita Kuzmin, a Russian national who created Gozi, was arrested in the U.S. in November 2010 and pled guilty before U.S. District Judge Leonard B. Sand to various computer intrusion and fraud charges in May 2011.

Deniss Calovskis, a Latvian national also known as "Miami," who allegedly wrote some of the computer code that made the Gozi virus so effective, was arrested in Latvia last November.

Mihai Ionut Paunescu, a Romanian national known as "Virus," allegedly ran a "bulletproof hosting" service that enabled cyber criminals to distribute the Gozi virus, the Zeus Trojan, and other malware, along with committing other cybercrimes. He was arrested in Romania last December.

Paul Ducklin, writing on Sophos' Naked Security blog, labeled Kuzmin the "COO," Paunescu the "CIO" and Calovskis the "Senior Web Consultant."

Jackson wrote that Gozi was successful largely because it had been "developed clandestinely and operated by a very small group of highly capable and experienced cybercriminals."

But, that was also Gozi's Achilles heel, he wrote. "This structure limited the amount of intelligence that could be gathered, but it also concentrated the technical know-how and capabilities required to run a profitable Gozi operation into a few key individuals," he said.

[Joan Goodchild in the Leading Edge blog: Is your security plan proactive or reactive?]

Security blogger Brian Krebs said Calovskis's arrest could be significant. Krebs, who has covered different phases of the Gozi Trojan operation, told CSO Online that the arrest of Miami -- if that really is who Calovskis is -- is a "bigger deal" than this version of Gozi dying out.

"I cannot verify whether American prosecutors got the right guy in arresting Calovskis, and of course, all are innocent until proven guilty," he said. "But if prosecutors have in fact arrested Miami, then that is probably the most significant aspect of this case, because his specialty was devising custom injects -- 'plugins' for different malware families that help users of these bot programs target specific financial institutions."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News