Friday, 23 August 2013

What is project Blitzkrieg and what did it do?

Project Blitzkrieg got a lot of media attention after RSA researches wrote that they had discovered an operation run by an individual known as vorVzakone.
The anti-virus company McAfee presented a pdf file that gives you a better view in understanding the Project Blitzkrieg events.

Origins of Prinimalka and Project Blitzkrieg 
Prinimalka is built upon earlier Trojan variants. This Trojan has been used for some time in various 
 
campaigns, but most recently in Project Blitzkrieg. The campaign was originated by vorVzakone and perhaps the hacker 01NSD. Our research indicates the operation has been in the planning stages for many months.
 
There has been much speculation as to what group was responsible for the development of Prinimalka. 
 
The Trojan itself is just a tool used by the operators of Project Blitzkrieg. Any actual fraud as claimed in the forum posting since 2008 may have been conducted by vorVzakone’s associates or by some other group. We do know that the thieves have had an active system since April 2012, with at least 500 victims who can be linked to vorVzakone.
 
The Prinimalka Trojan was not developed by vorVzakone or 01NSD according to our analysis of underground chatter regarding this Trojan; rather it was developed by another group and provided to them. It appears vorVzakone can compile the source code into new binaries; hence, it is possible for skilled people on his team to make certain modifications. But, from the variants we have seen, the binaries used in a specific campaign tend to be nearly identical. VorVzakone planned to provide the 
 
Trojan and supporting infrastructure to those who would join him in his campaign. He also continues to confirm several other members of the underground who have stolen money already via this Trojan, citing its success to counter arguments against the buy-in he requires.
 
This is a very similar relationship that 76service.com had with the authors of Gozi, though the Trojan is private and not publically provided for sale like Zeus and SpyEye and is likely provided only to trusted groups in the underground. This tactic explains why Prinimalka has stayed beneath the radar for so long.
 
During our investigation we learned that the Prinimalka Trojan linked to Project Blitzkrieg is a direct evolution of a Gozi variant seen in early 2007 and discovered by Dell Secureworks. This Gozi variant was linked to former members of the HangUp Team and used by 76Service.com.

No comments:

Post a Comment