Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Malware News: Gozi Trojan Makes a Comeback Using PDF Spam, Then is Shut Down

Dormant worm behind a subscription identity theft service returns to exploit known vulnerability in Adobe Acrobat 8.x, then disappears

By

October 25, 2007CSO — The Gozi Trojan, a bot that fronted a sophisticated hacking subscription service earlier last year, was found again in the wild today infecting PCs at a healthy clip through the use of PDF spam. But, perhaps a victim of its own success, the servers that hosted the malware started to clog their own network and pull down performance, causing the service provider hosting the servers to shut them down voluntarily, according to SecureWorks security researcher Don Jackson.

Jackson, who last January accidentally discovered the Gozi Trojan and the service it connected to, called 76service, said the latest distribution of the Gozi bot is the first in-the-wild exploit of a vulnerability in Adobe Acrobat version 8.x. The Acrobat vulnerability is based on the fact that in certain PDF pages will automatically execute a "mailto:" command when the file is opened. Hackers manipulate this such that the command gets passed off to the operating system instead of an e-mail client. The command tells the machine to download a small file called a downloader, which is simply another command that in turn tells the machine to download the Gozi bot.

Although it has been tweaked to carry out many duties, Gozi is primarily a form grabber, meaning it takes information entered into online forms, such as user name and passwords. It targets banking forms primarily for sensitive financial credentials. It has the capability of capturing sensitive data in the time after the data is typed but before it is encrypted with SSL--meaning that the little glowing lock on the browser may be on, but the information is still being taken.

Connecting Gozi to the Adobe vulnerability, Jackson says, was smart. "The thing about the Adobe exploit is it’s so easy to work with," says Jackson. "Once you see the proof-of-concept code, you can really get creative adapting it." Adobe has issued a patch for the vulnerability, found here.

This latest attack provides a good example of several successful tactics in the malware business coming together for a single attack. It uses a recent and widely publicized vulnerability (in Acrobat) to deliver a known-to-be-effective Trojan (Gozi) which is distributed to PCs through yet another bot that allows Google Gmail to mass distribute e-mails, but is still able to bypass spam filters by using yet another popular and recently successful tactic (PDF spam).

"This is all about windows of opportunity," says researcher Jose Nazario, security researcher in the office of the CTO at Arbor Networks. "These are recent techniques proven to work. They use them until they don’t work anymore. Until someone figures out how to stop them. They burn them to the ground then move on."

RESOURCE CENTER