This article is more than 1 year old

Last of the Gozi 3 sentenced over Windows info-stealing malware ops

Banking trojan still going strong as feds put bulletproof hosting point man behind bars

The last of the three men said to be responsible for infecting Windows computers with the banking trojan Gozi has been sentenced to three years.

Mihai Ionut Paunescu, 37, was said to have supplied the bulletproof hosting that is so vital for the efficient running of malware ops, allowing his co-conspirators to distribute the Gozi malware that stole confidential financial information from millions of computers, among them some Windows boxes running at NASA.

The Romanian national, whom Feds say was also known as "Virus," was sentenced [PDF] to three years in prison on Monday. He was extradited last year in Colombia, where he had apparently been living after being released on bail following an arrest in Romania in 2012.

Gozi famously turned up in 2007 and used phishing campaigns to infect millions of Windows boxes, inflicting "tens of millions of dollars in losses" worldwide. According to the court documents, at least 40,000 of those computers were in the US and some belonged to NASA. The space agency was hurt to the tune of $19,000, according to court docs.

The Reg has asked Paunescu's attorney for comment.

According to the original complaint [PDF], Paunescu had rented a dedicated server located in California which functioned as a proxy for computers infected with the Gozi virus as well as the Zeus Trojan. Prosecutors say Paunescu had rented IP addresses from ISPs and released them to criminals.

Feds reckon the operation [PDF] was led by Russian Nikita Kuzmin, aka "76," with Paunescu and Latvian Dennis Čalovskis, aka "Miami," working in concert with him. Sophos at the time described the trio as the "COO", the "CIO", and the "senior programmer" of the gang respectively.

Alleged kingpin Kuzmin pleaded guilty to computer break-in and fraud charges in May 2011 and was sentenced in May 2016 to time served (37 months) and had to pay back $6.9 million, while Čalovskis, whom prosecutors say wrote the computer code for certain "web injects" that enabled Gozi to target information from particular banks, was sentenced in January 2016 to time served (21 months) for his role in the offense.

The Feds described Kuzmin as both the creator of Gozi and as a "pioneer" in developing "an innovative means of distributing and profiting from it."

An unnamed investigator even told infosec journalist Brian Krebs at the time of the 2013 arrests that "76 Service" – referring to services provided by Kuzmin in phishing attacks on victims' bank accounts – was akin to "Salesforce for bad guys."

The grudging admiration of the FBI computer experts who helped officials investigate seems to have seeped into the 2016 press release from the New York attorney's office announcing his sentencing, which states:

Unlike many cybercriminals at the time, who profited from malware solely by using it to steal money, Kuzmin rented out Gozi to other criminals, pioneering the model of cybercriminals as service providers for other criminals. For a fee of $500 a week paid in WebMoney, a digital currency widely used by cybercriminals, Kuzmin rented the Gozi "executable," the file that could be used to infect victims with Gozi malware, to other criminals.

Paunescu, however, pleaded guilty only to the first count, conspiracy to commit computer intrusion. The other two charges against him, conspiracy to commit bank fraud and conspiracy to commit wire fraud, were dismissed by prosecutors on Monday.

Gozi malware is still in widespread use by today's criminals, with its longevity chalked up partially by researchers at Checkpoint to an incident where the source code to the Gozi "ISFB" variant (as opposed to the Gozi CRM variant — and yes, that stands for "Customer Relationship Management") leaked some time between 2013 and 2015. The threat researchers describe it as "frighteningly lucrative, even compared to the already lucrative cybercrime market." Various forks based on ISFB, including GozNym or Dreambot, are still around today. In October last year, researchers said they'd noticed it was evolving to support extortionware. ®

More about

TIP US OFF

Send us news


Other stories you might like