Jump to content
Sign in to follow this  
Jendislav

Gozi malware

Recommended Posts

Hello friends,

we are using Eset Endpoint Antivirus in our company and I am facing one weird issue.

I just updated AV to latest version and since today I am facing issue with HTTPS websites. Bank account provided blocked access from one laptop to their server because of Gozi malware infection. I just scanned laptop with ESET, Norton, MalwareBytes but nothing was found so far. There is Kaspersky scan from USB running now.

I found that there is weird certificate installed in trusted root certification authorities called computername security cert 2. When I tried to access any website with HTTPS certificates it showed that for example https://google.com is secure, certificate is trusted, but google certificate had been issued by this weird trusted CA which is installed on PC. 

User told me that he did not install anything and did not open any spam or so. There was installed big Windows 10 update 2 day ago.

Does anybody have any advice how to clean the PC.

Share this post


Link to post
Share on other sites

It looks like some application (legitimate or malware) is performing a MitM "attack".  To start off, gather logs with ESET Log Collector and post the generated archive here (only moderators will have access to it).

Share this post


Link to post
Share on other sites

I would like to mention that our customer paid for business license and he would like to resolve this issue.

Share this post


Link to post
Share on other sites
On ‎11‎/‎23‎/‎2018 at 12:32 PM, Jendislav said:

I found that there is weird certificate installed in trusted root certification authorities called computername security cert 2. When I tried to access any website with HTTPS certificates it showed that for example https://google.com is secure, certificate is trusted, but google certificate had been issued by this weird trusted CA which is installed on PC. 

To begin with, I would open certmgr.msc and move this certificate from the Windows root CA certificate store to the Untrusted Publishers certificate store. This way if for some reason that certificate is needed, it can be reinserted into the Windows root CA certificate store. -EDIT- Also moving the certificate to the Untrusted Publishers certificate store might result in the concern not being able to connect to any HTTPS web site. In this case, your only alternative is to delete the certificate. You could export the certificate to a secure directory prior deleting it.

Now verify if the site certificate for https://google.com is pinned to the correct root CA store certificate; i.e. Google Trust Services - Globalsign Root CA-R2. Note: This is the pinning relationship in IE11 and I assume Edge since both use the Windows root CA certificate store. As far as Chrome and FireFox browsers who knows since they use their own internal root CA certificate stores.

Assuming the concern can now connect to https://google.com securely, they also should be able to do so to their bank web site w/o issue.

 

Edited by itman

Share this post


Link to post
Share on other sites

Hi, if I deleted this certificate and restarted PC it returned back to trusted CAs.

Share this post


Link to post
Share on other sites
34 minutes ago, Jendislav said:

Hi, if I deleted this certificate and restarted PC it returned back to trusted CAs.

I was afraid of that. Appears the malware has installed a mechanism to recreate the bogus root CA store certificate. The most common way is to run certutil.exe, a legit Win system process, via some script type; Powershell, wscript, cscript, or command, from one of the Windows startup directories or registry locations. Or, it created a scheduled task to do likewise at system startup time.

I would recommend you either contact your in country Eset support office by phone or open up an Eset support ticket for assistance.

Edited by itman

Share this post


Link to post
Share on other sites

It appears that you have Safetica installed to prevent data leaks. Since it scans SSL communication, I assume it is the application that performs the MitM "attack". Also you have MBAM installed with all its drivers loaded; I'd recommend using it only as a second-opinion scanner on demand and keep its drivers disabled to prevent clashes with other security software.

Share this post


Link to post
Share on other sites

As far as the bank's claim of a Gozi infection, your customer needs to contact its bank for a more detailed explanation on what they actually detected. It could very well be related to the Safetica proxy interception activity. If this is the case, your customer will have to figure out a way to exclude the bank's web site from Safetica's SSL protocol scanning.

Edited by itman

Share this post


Link to post
Share on other sites

Hi, thank you for reply. I can exclude website of that bank from safetica or deactivate safetica for a while, that is no problem, but that weird certificate is another problem I think. I already opened ticket with Eset in Czech Republic, but they did not reply for whole day.

Share this post


Link to post
Share on other sites
39 minutes ago, Jendislav said:

but that weird certificate is another problem I think.

Read this: https://support.safetica.com/index.php?/Knowledgebase/Article/View/379/81/configuring-safetica-to-sign-its-network-communication-with-a-companys-root-digital-certificate :

Quote

The next time your Safetica clients connect to the Safetica Management Server, the clients will receive their individual signed endpoint certificates which will be used to sign all further network communication.

Suspect the "weird" certificate is your client's self-signed Safetica certificate.

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×