Page 2 of 2
According to the RSA blog post, "In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims' accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own 'investor,' who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits."
RSA says that although Gozi and the Prinimalka variant are very similar, Gozi writes a single DLL file to its bots upon deployment, whereas Prinimalka creates an EXE file and a DAT file, with the DAT file used to support command and control. Significant differences also exist in the registry keys and values.
RSA recommends that banks review their authentication procedures in advance of the intended onslaught. "Our adaptive authentication feature can recognize whether the machine is being used manually or automatically, based on behavior patterns," added RSA's Veral. "It looks into how fast the user logs in, whether they are using the same machine, same time of day, and a number of other parameters. The machine typing in credentials is much faster than most people can keystroke. This is one of the factors that we use."
Another useful strategy could involve using a dedicated machine for banking and brokerage transactions and employing a separate machine for all other computing uses.
"That's a good idea," added Veral. "When you go online, you don't have any control over the security of the websites that you visit. There is malware that can infect your machine just by visiting the website even without clicking an actual file. These are drive-by attacks. If you had a machine [used] just for banking, that would be a lot better than sharing the machine among all functions."