Other

Malware News: Gozi Trojan Makes a Comeback Using PDF Spam, Then is Shut Down

Dormant worm behind a subscription identity theft service returns to exploit known vulnerability in Adobe Acrobat 8.x, then disappears

By Dave Gradijan

October 30, 2007 — CSO —

Dormant worm behind a subscription identity theft service returns to exploit known vulnerability in Adobe Acrobat 8.x, then disappears

By Scott Berinato

The Gozi Trojan, a bot that fronted a sophisticated hacking subscription service earlier last year [see exclusive, comprehensive coverage on CSO’s sister site, CIO.com] was found again in the wild in late October, infecting PCs at a healthy clip through the use of PDF spam. But, perhaps a victim of its own success, the servers that hosted the malware started to clog their own network and pull down performance, causing the service provider hosting the servers to shut them down voluntarily, according to SecureWorks security researcher Don Jackson.

Jackson, who last January accidentally discovered the Gozi Trojan and the service it connected to, called 76service, said the latest distribution of the Gozi bot is the first in-the-wild exploit of a vulnerability in Adobe Acrobat version 8.x. The Acrobat vulnerability is based on the fact that in certain PDF pages will automatically execute a "mailto:" command when the file is opened. Hackers manipulate this such that the command gets passed off to the operating system instead of an e-mail client. The command tells the machine to download a small file called a downloader, which is simply another command that in turn tells the machine to download the Gozi bot.

Although it has been tweaked to carry out many duties, Gozi is primarily a form grabber, meaning it takes information entered into online forms, such as user name and passwords. It targets banking forms primarily for sensitive financial credentials. It has the capability of capturing sensitive data in the time after the data is typed but before it is encrypted with SSL--meaning that the little glowing lock on the browser may be on, but the information is still being taken.

Connecting Gozi to the Adobe vulnerability, Jackson says, was smart. "The thing about the Adobe exploit is it’s so easy to work with," says Jackson. "Once you see the proof-of-concept code, you can really get creative adapting it." Adobe has issued a patch for the vulnerability, found here.

This latest attack provides a good example of several successful tactics in the malware business coming together for a single attack. It uses a recent and widely publicized vulnerability (in Acrobat) to deliver a known-to-be-effective Trojan (Gozi) which is distributed to PCs through yet another bot that allows Google Gmail to mass distribute e-mails, but is still able to bypass spam filters by using yet another popular and recently successful tactic (PDF spam).

• Email
• Print
• Comments
• Digg This
• SlashDot