Looks like a Russian Trojan program named Gozi remained undetected for more than 50 days. In this time the trojan aquired confidential data worth $2 million on the black market. Among the stolen data there were more than 10,000 private records belonging to about 5,200 US users, about 2,000 Social Security numbers, as well as account numbers, user names and passwords for bank accounts and e-commerce sites. It also included employee passwords for applications belonging to more than 300 companies and government organisations - including several law enforcement agencies in the US - and medical information of health care employees and patients whose user names and passwords were stolen from their home PCs.

The stolen information was sent by Gozi to a server in St. Petersburg, where it was then sold on a subscription basis to an unknown number of individuals. The value of the stolen data is estimated to be around: $2 million. Don Jackson, a security researcher at SecureWorks, uncovered the theft in January. Jackson said that there are at least two more known variants of Gozi, meaning there are new attacks taking place. According to Jackson, an acquaintance reported that several accounts on websites he visited from work and home had been hijacked. An investigation of his friend's PC uncovered a previously unclassified malware executable that appeared to have been installed last December.

The Trojan was designed to steal data from encrypted SSL streams and send it to a server in Russia. It took advantage of a vulnerability in the iFrame tags of Internet Explorer - the buffer overflow attack basically allows attackers to take complete control of a compromised system. Jackson said that the server to which the information was being sent had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and query fields such as URL and form parameters. Each query had a price, Jackson said. The currency used on the site was WMZ, a WebMoney unit the value almost the same as the US dollar.

When The Trojan was discovered, in January, not one of the 30 anti-virus programs he tested recognised it. Some of the programs flagged it as a suspicious file or a generic threat based on the fact that it was using a commonly known packing tool to compress the code. After a month, the new updated versions of the same programs were tested again and most of them did a better job of finding Gozi, but five of the them completely missed it.

Details about Trojan and the information on the Russian server have been passed on to law enforcement authorities, and to several of the affected companies. The subscription service is not working, but the server housing the data is still online and is continuing to receive stolen information.