IBM X-Force researchers recently uncovered a new hybrid of the Nymaim and Gozi banking Trojans. The malware, which the researchers are calling GozNym, has already been used to steal $4 million from more than 22 banks in the U.S. and two in Canada, Forbes reports.
“The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan,” IBM executive security advisor Limor Kessem wrote in an analysis of the new malware. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.”
While the Gozi malware source code was leaked in 2010, nobody aside from the original Nymaim development team is believed to have access to the Nymaim source code. As a result, Kessem says the most likely scenario is that the Nymaim development team incorporated the leaked Gozi source code into their own malware.
Lastline CTO and co-founder Giovanni Vigna told eSecurity Planet by email that while it’s interesting to see two strands of malware merged, it’s not surprising. “As for any software that has to be flexible and reliable, malware has been modularized for a while, so that functionality can be reused or loaded as needed,” he said. “The stealth behavior of the malware highlights the need for sophisticated dynamic analysis that is able to identify the both the overtly malicious actions and the attempts to hide the true nature of the code.”
And Lieberman Software vice president Jonathan Sander said by email that it’s frustrating for security professionals to see something like GozNym successfully stealing as much as $4 million. “You know you told both IT and the business how they needed to react to attacks of this type when the original threats emerged,” he said. “This just shows you that they didn’t really listen then.”
“One would think that once a bad guy has crawled in an unlocked window once everyone would remember to lock it up from then on,” Sander added. “When you walk by and see the open window and the missing valuables, all you can do is sigh, close it up again, and hope folks may heed your warning this time around.”
A recent RSA survey of more than 160 respondents worldwide found that only 7 percent of organizations are completely satisfied with their ability to detect and investigate threats using their current data and toolset.
Fully 92 percent of organizations said they can’t detect threats quickly, and 89 said they can’t investigate threats quickly.
“This survey reinforces our greatest fear that organizations are not currently taking, and in many cases are not planning to take, the necessary steps to protect themselves from advanced threats,” RSA president Amit Yoran said in a statement. “They are not collecting the right data, not integrating the data they collect, and focusing on old-school prevention technologies.”
Recent eSecurity Planet articles have offered advice on how to fight advanced persistent threats and how to secure corporate data in a post-perimeter world.