Jump to content

Gozi malware

Jendislav

By Jendislav
in Malware Finding and Cleaning

 Share

Recommended Posts

Jendislav

Jendislav 0

Posted
Posted

Hello friends,

we are using Eset Endpoint Antivirus in our company and I am facing one weird issue.

I just updated AV to latest version and since today I am facing issue with HTTPS websites. Bank account provided blocked access from one laptop to their server because of Gozi malware infection. I just scanned laptop with ESET, Norton, MalwareBytes but nothing was found so far. There is Kaspersky scan from USB running now.

I found that there is weird certificate installed in trusted root certification authorities called computername security cert 2. When I tried to access any website with HTTPS certificates it showed that for example https://google.com is secure, certificate is trusted, but google certificate had been issued by this weird trusted CA which is installed on PC. 

User told me that he did not install anything and did not open any spam or so. There was installed big Windows 10 update 2 day ago.

Does anybody have any advice how to clean the PC.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,143

Posted
  • Administrators
Posted

It looks like some application (legitimate or malware) is performing a MitM "attack".  To start off, gather logs with ESET Log Collector and post the generated archive here (only moderators will have access to it).

Link to comment
Share on other sites
itman

itman 1,707

Posted
Posted (edited)
On ‎11‎/‎23‎/‎2018 at 12:32 PM, Jendislav said:

I found that there is weird certificate installed in trusted root certification authorities called computername security cert 2. When I tried to access any website with HTTPS certificates it showed that for example https://google.com is secure, certificate is trusted, but google certificate had been issued by this weird trusted CA which is installed on PC. 

To begin with, I would open certmgr.msc and move this certificate from the Windows root CA certificate store to the Untrusted Publishers certificate store. This way if for some reason that certificate is needed, it can be reinserted into the Windows root CA certificate store. -EDIT- Also moving the certificate to the Untrusted Publishers certificate store might result in the concern not being able to connect to any HTTPS web site. In this case, your only alternative is to delete the certificate. You could export the certificate to a secure directory prior deleting it.

Now verify if the site certificate for https://google.com is pinned to the correct root CA store certificate; i.e. Google Trust Services - Globalsign Root CA-R2. Note: This is the pinning relationship in IE11 and I assume Edge since both use the Windows root CA certificate store. As far as Chrome and FireFox browsers who knows since they use their own internal root CA certificate stores.

Assuming the concern can now connect to https://google.com securely, they also should be able to do so to their bank web site w/o issue.

 

Edited by itman
Link to comment
Share on other sites
itman

itman 1,707

Posted
Posted (edited)
34 minutes ago, Jendislav said:

Hi, if I deleted this certificate and restarted PC it returned back to trusted CAs.

I was afraid of that. Appears the malware has installed a mechanism to recreate the bogus root CA store certificate. The most common way is to run certutil.exe, a legit Win system process, via some script type; Powershell, wscript, cscript, or command, from one of the Windows startup directories or registry locations. Or, it created a scheduled task to do likewise at system startup time.

I would recommend you either contact your in country Eset support office by phone or open up an Eset support ticket for assistance.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,143

Posted
  • Administrators
Posted

It appears that you have Safetica installed to prevent data leaks. Since it scans SSL communication, I assume it is the application that performs the MitM "attack". Also you have MBAM installed with all its drivers loaded; I'd recommend using it only as a second-opinion scanner on demand and keep its drivers disabled to prevent clashes with other security software.

Link to comment
Share on other sites
itman

itman 1,707

Posted
Posted (edited)

As far as the bank's claim of a Gozi infection, your customer needs to contact its bank for a more detailed explanation on what they actually detected. It could very well be related to the Safetica proxy interception activity. If this is the case, your customer will have to figure out a way to exclude the bank's web site from Safetica's SSL protocol scanning.

Edited by itman
Link to comment
Share on other sites
Jendislav

Jendislav 0

Posted
  • Author
Posted

Hi, thank you for reply. I can exclude website of that bank from safetica or deactivate safetica for a while, that is no problem, but that weird certificate is another problem I think. I already opened ticket with Eset in Czech Republic, but they did not reply for whole day.

Link to comment
Share on other sites
itman

itman 1,707

Posted
Posted (edited)
39 minutes ago, Jendislav said:

but that weird certificate is another problem I think.

Read this: https://support.safetica.com/index.php?/Knowledgebase/Article/View/379/81/configuring-safetica-to-sign-its-network-communication-with-a-companys-root-digital-certificate :

Quote

The next time your Safetica clients connect to the Safetica Management Server, the clients will receive their individual signed endpoint certificates which will be used to sign all further network communication.

Suspect the "weird" certificate is your client's self-signed Safetica certificate.

Edited by itman
Link to comment
Share on other sites
  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...