Gozi, Part 1: The Rise of Malware-as-a-Service

Nikita Kuzmin could have been a whiz programmer or a CEO of a successful startup. But as a teen in Moscow, he fell in with the wrong crowd, and his entrepreneurial skills found a different path: Gozi, the oddest and most brilliant malware operation ever conceived to that point in time.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Gozi, Part 1: The Rise of Malware-as-a-Service

How does somebody end up becoming a hacker? Nikita Kuzmin certainly didn’t have to become one. He was a good-looking young guy: short blonde hair, bright blue eyes. His skin was pale, a little pimply, sharp features with stubble growing along his sideburns.

For someone his age, he was quite enterprising. He drove around on an old, banged-up motorized bike he originally found one day, lying on the edge of a road, after it’d been crashed and ditched by its owner. He often thought of replacing that dinky bike with a fancy car. But it got him around, for most of his teen years.

In another life, Nikita could’ve been any number of things. With his skillset, he could’ve been a highly sought-after cyber security expert, a whiz programmer, or maybe even the CEO of a tech company. Because he was brilliant. Early on, as a young teenager, Nikita’s coding skills were admired by older peers. That, perhaps, was not a good thing. Without the role models in his life that could’ve guided him in honing those skills–towards building things, or getting a job, maybe–he instead became an active member of ShadowCrew, a web forum for cyber criminal activity.

During the early 2000s, ShadowCrew.com was the center of the hacking universe. The stories, and the people that were borne out of that forum–Brett Shannon Johnson, Albert Gonzalez, Alexsi Kolarov, and others–will be subjects of many Malicious Life episodes to come. Nikita worked alongside some of the most famous and respected cyber criminals of his time, as he honed his skills coding spyware and remote access trojans. It was in this environment that the young teenager grew up, and learned how to think.

According to a researcher who studied him closely–a researcher who will become very important to this story, very soon–Nikita was known in ShadowCrew not just for his youth and skill, but for, quote, “his enthusiasm for the idea that Internet fraud, especially against Western targets, was a legitimate profession with better pay and perks than working for local computer and software retail outlets, university labs, and ISPs.”

By his early 20s, he’d attended two major engineering universities, and earned a degree in computer science. If he were living in California, the job offers would have poured in. But Nikita was from Moscow, and the people he was in league with took him down a very different life’s path.

Corpse and Haxdoor

His second outfit was the HangUp Team. HangUp deemed themselves “cyber-fascist”: radically left, wagers of financial warfare. Among their favorite hobbies was posting imagery with swastikas online. In one example, a shining swastika sits atop a Christmas tree on the White House front lawn. More so than a cogent ideology, HangUp were driven by virulent anti-Americanism. According to ‘Malicious Bots’, a book by Ken Dunham and Jim Melnick, members often referred to their enemies as “eaters of hamburgers”.

HangUp’s specialty was banking trojans–malware that takes advantage of online banking portals and payment systems. As online banking rose in popularity during the mid-2000s, and cyber security over its platforms struggled to keep up, HangUp found great success with bots, exploits of core Windows features, and zero-day vulnerabilities. One of its most resounding successes, Haxdoor, was an early form-grabbing trojan. Once downloaded to a target computer via a malicious PDF, it opened a backdoor TCP port and delivered the most sensitive personal information of the target computer’s unwitting owner, just as soon as they typed it into an online banking site or payment portal.

The creator of Haxdoor went by the name “Corpse”. Corpse’s success had as much to do with the distribution of his malware as it did the malware itself. By the mid-2000s he was selling a version of Haxdoor called Nuclear Grabber, for over 3,000 dollars a pop on the black market. Now, it’s not immediately obvious why he would do this. A successful bank hack can yield orders of magnitude more than 3,000 dollars. In one notable instance, Haxdoor was used to steal eight million kroner–just under a million U.S. dollars–from the Swedish bank Nordea. Corpse was like a comic book villain who built a death ray, then rented it out to any ordinary criminal with a few thousand bucks in their pockets.

Corpse wasn’t your typical villain, though. One senses he had a paranoia about him–like he always suspected he was on the verge of being caught. He may have been right.

After Haxdoor’s success, Corpse tried to lower his profile. Selling malware, rather than carrying out attacks himself, may have been a way to distance himself from the action. But word got out. Computerworld magazine teamed up with an investigator from Symantec to locate and speak with Corpse, by pretending to be a buyer for Nuclear Grabber. Corpse confirmed everything the researchers suspected, then gave them more than they’d bargained for, by personally offering to store any stolen data they hacked with his tool on American, Chinese or European servers for 150 dollars a month. The story was published in January of 2007. Corpse disappeared. But the legacy of Haxdoor did not.

Don Jackson

Don Jackson joined SecureWorks as a security researcher in mid 2006. By this time he’d been working as an analyst for a decade. When a friend of his noticed a strange problem with his computer, Don was called on for a favor. A number of this friend’s online accounts had been hijacked, and antivirus checks had identified a certain executable file as a potential source of the problem. The executable wasn’t labeled malicious, but it wasn’t cleared, either.

At first, the prospect of investigating some anonymous .exe file didn’t seem terribly interesting to Jackson. He recounted the experience in a long, four-part story in CSO magazine, back in January of 2007. “Generally,” he said, “the exe is not all that exciting to researchers who see hundreds of these samples a month.” Still, as a favor to his friend, he downloaded the file to a lab computer. Upon first glance, it seemed just as uninteresting as he’d anticipated. Another banking Trojan, another Haxdoor offshoot.

It worked much like the other banking Trojans of the time. It began infecting new Windows machines via an Internet Explorer 6 exploit. Once arrived, it didn’t cause a crash, lock away data, or filter important data away. Instead, it simply waited. Once the computer’s user visited a website which asked for useful data, it would perk up its ears. This was a “form-grabbing” Trojan. When a user typed and submitted their most sensitive personal identifying information into a bank’s website, for example, the malware would secretly send a copy that same information back to a server controlled by a hacker.

It’s crucial to note that form-grabbers don’t breach the actual bank sites they target. Instead, they breach an individual’s computer, and activate when that individual visits something like a bank site. This method has distinct benefits. For one thing, it’s much easier to hack a single person than a whole bank. And even if the malware is discovered, individuals lack the resources to counter-punch and investigate their hackers.

Ultimately, this trojan may not have been anything new. In fact, it was anything but new. It mostly mashed together successful features of other past banking trojans, with little tweaks. Like a greatest hits album of Haxdoor-era banking malware. But it was effective at stealing information, and not only that: many weeks into being out in the wild, it wasn’t identified as malicious by any antivirus vendors. That’s because it had built-in features to keep hidden, like taking advantage of SSL.

Secure sockets layer is a security protocol of the internet that does two things: verify that the website you’re visiting is certified, and encrypt traffic over your connection. It’s what turns “http” to “https”, and adds that little lock icon next to the web domain of the site you’re visiting. What this banking trojan did, however, was mask itself as a “layered service provider”. Essentially, it squeezed in between a browser and SSL, siphoning off data from banking websites before it could be stopped or encrypted by SSL. Infected computers would still display that lock icon beside their bank website domain, even though they were anything but secure.

Don Jackson gave this trojan a name: “Pizdato”, after a word found in the source code. After learning what pizdato actually meant – “Pizda” is Russian slang for vagina – Jackson changed the name to “Gozi”.

After a couple days of analysis, Jackson discovered one more component to Gozi: it connected back to servers hosted in Russia. When he poked his head in to see where that connection ended, he was like Dorothy opening the door to a world of color. All that time he’d spent analyzing the malware was just him scratching at the surface of something much, much deeper.

An Enterprise is Born

Botnets tend to be controlled by a single entity, and take mass orders. They’re like robot armies, and the hackers that create and maintain them are like army generals. Oftentimes, because of their sheer scale, hackers will use botnets to steal so much data from so many computers that they simply can’t handle it all. Ten stolen credit cards is one thing, but what could you possibly do with 50,000 credit card numbers? It’s too much work to use each one for fraud, so the data usually ends up sold on the black market.

Nikita Kuzmin had a different idea of how to weaponize a botnet. His model was Corpse. Corpse had built the powerful Haxdoor banking trojan, but there’s little evidence that Corpse actually used Haxdoor to carry out successful hacks of his own. Instead, he peddled it to others. In exchange for a few thousand dollars, distance from the criminal activity, and not actually having to do any of the work of hacking a bank account, he promised the kind of malware that could earn a talented hacker a lot more than the few thousand dollars they were being charged. Both he and his customers got something out of the deal, like any good business.

Nikita would take that concept and turn it into an enterprise. First, in 2005, he conceived of a banking trojan. He came up with a list of technical specifications he wanted it to meet, then hired freelance hackers to build it. Next, he brought on two business partners.

“Exoric” was a systems administrator based in the United States who, importantly, was of Latino descent, and spoke Spanish. He acted as the middleman between Nikita and their Panama-based bulletproof host.

Aleksander Kalinin, who went by the name “Grig,” was the last member of the trio. The year after Gozi, he would join another group and commit one of the most famous hacks in history—more on that in a future episode of our show. Based out of Russia, his expertise seems to be evading the law, as he escaped jurisdiction in both instances.

Together, Grig, Exoric, and Kuzmin–who went by the name “76” online–formed “76Service”, perhaps the oddest and most brilliant malware operation ever conceived to that point in time.

Jackson Goes Deeper

And it was being tracked. After tracing the Russian connection, Don Jackson went undercover and dove straight into the criminal underground to find out what was going on behind the strange executable on his friend’s computer. Posing as a British cybercriminal, under the handle ‘Gozi’ (remember, Gozi is the name he gave the malware, not the name it was known by at the time), he began searching darknet forums where stolen credit card information was bought and sold, for anybody who seemed to know about Gozi and its proprietors. Before long he spotted some users with avatars he recognized: members of the HangUp team that he’d become familiar with from previous research. He decided he knew enough about these guys to pose as a potential buyer, and figure out what was going on through them. ‘Inside the Global Hacker Service Economy’, the 2007 CSO Magazine article that broke the full story, describes what happened next. I quote:

“In response to requests he posted, one of these HangUp Team members e-mailed Jackson at an anonymous safe-mail.com account. The e-mail told Jackson to log on to a specific IRC chat room with a specific name at a specific time. Jackson, using a machine configured to hide its location, did so. The room was virtually crowded. The channel moderator was offering preview accounts to 76service such that the users could tour the site. Jackson asked if he could take a test run, too. [. . .] A few derided Jackson for his ignorance and, in so many words, told him to go away.”

This and Jackson’s subsequent attempts at identifying the Gozi sellers failed, but he had another plan. After navigating the dark web, Don Jackson reached out to a colleague who’d long been investigating the HangUp team, and owned login credentials to 76Service. Even with all he knew already, he couldn’t have anticipated what he was about to see. Like Dorothy opening the door to the magical, colorful land of Oz, Jackson peered behind the curtain of what at first seemed to be an ordinary malware, to find an entire software service–befit with subscription plans, user-friendly features, and an easy-to-navigate interface that tracks cybercrime victims like stocks on a brokerage app.

The Vision of Nikita Kuzmin

This was the vision of Nikita Kuzmin: malware, sold as a legitimate business operation. Corpse sold his malware like a product, Nikita sold his as a service. Here’s how it worked…

Once Gozi was finished infecting a new machine, you’ll recall, the first thing it did was wait. Like a sleeper agent, it would only perk up when a user visited a site that required them to input sensitive data. So each infected machine in the world was like a seed: it might get rain, growing big and tall and bearing fruit, or it might not get any rain at all, ending up short and limp.

Nikita’s team planted those seeds, in computers around the world, but didn’t harvest them personally. Instead, they sold them for other cyber-criminals to harvest. You couldn’t know which seeds would bear fruit, but certain seeds were more likely to than others. A newly-infected machine was worth more than one which had already been included in some other hacker’s subscription package before. Users could pay a premium for new seeds, or try to scrape whatever they could off the old ones at a bargain price. Savvy investors might buy a suite of infected machines, some new and some old, to balance their risk.

76Service customers didn’t own their seeds, though. Subscription plans lasted 30 days, to align with typical monthly billing cycles–the window of time in which a target would likely visit their bank online. If your seed didn’t yield bank information, or only returned less valuable social media or login data, there was always another cycle coming up. If your seed did bear fruit–names, birthdays, social security numbers, card numbers–the stolen information would upload straight to your account. From there you could use it for fraud, or pawn it off on the black market, up to you. 76Service took nothing off the top.

Like Corpse, Nikita and his crew sold the promise of high returns in exchange for steady income. They were separated by one or two degrees from any crimes that might be carried out using their malware, and didn’t have to do the work of carrying out attacks themselves. This freed up their time to work on the more business-oriented aspects of their service, like user experience and design.

And 76Service didn’t just act like a proper business app, it looked like one, too. It had a slick interface, with a shiny logo and a color palette of blues and purples. After logging in, users were presented with a panel of project management tools where they could search, filter by category, purchase new infected machines, and check on the status of their currently active infections. Through a network of freelance hackers-for-hire, Nikita regularly implemented anti-security updates for Gozi, and offered a suite of secondary services to his customers at extra cost.

It was, all in all, just like any other internet business. Earlier in this episode we quoted Don Jackson, who said of Nikita Kuzmin that, quote, “Despite his young age, he was trusted, respected for his practical technical skills and coding talent, and also known for his enthusiasm for the idea that Internet fraud, especially against Western targets, was a legitimate profession.” Nikita didn’t just believe that hacking could be a profession, he turned it into a profession. 76Service was the culmination of his beliefs. It was an original, well-executed business that met a market demand.

And it made him rich. How much money did you make in 2006? According to the FBI, a teenage Nikita Kuzmin made a quarter million dollars that year.

Bigger, Better

But the glory days of 76Service were numbered. Don Jackson had contacted the FBI, who partnered with Russian authorities to investigate. Jackson published a technical report, and was interviewed for the long form exposé largely responsible for the research that went into today’s episode. Antivirus vendors added Gozi’s signature to their databases. In collaboration with internet service providers, 76Service began to be cordoned off and, by mid-March of 2007–only a year or so after the service began–it was effectively closed down. A bum rush began, as 76Service customers hurried to use their stolen data before their accounts disappeared. Jackson claims that, in just those few Spring days, hundreds of bank accounts were juiced for up to tens of thousands of dollars at a time.

This appeared to be the end of 76Service, and Nikita Kuzmin. But it was not. Nikita had a new idea: a new, bigger, better business that’d make the first one seem small in comparison. In our next episode, the 2nd and final installment of this mini-series on the Gozi malware, we’ll hear about Nikita’s plan to modernize Gozi, and how his new business fared in the competition against a new generation of banking trojans, most notably Zeus – the 800 pound gorilla of the financial malware scene of its time. All that and more, next time on Malicious Life.

X

Want to hear our bonus episode?