PDF Exploit Spam Used to Install Gozi Trojan in New Attack
- Author: Don Jackson
- Date: October 22, 2007
On the evening of Tuesday, October 23, 2007, SecureWorks began to notice a large volume of spam using the gmail.com domain and containing PDF attachments. Those attachments were in fact the first exploits of a vulnerability in the handling of "mailto" URIs in Adobe Acrobat 8.x (CVE-2007-5020) ever found "in the wild."
The spam messages look like this:
From: Gilbert <firstname.lastname@example.org> Subject: STATEMET indigene Date: Tue, 23 Oct 2007 08:08:22 +0000 fanner ctenoid varment<<BILL.pdf>>
The attachment may instead be represented by an icon used to represent PDF files. These attachments use filenames such as BILL.pdf or INVOICE.pdf, but those filenames, as well as the sender and message content itself, may change.
The attached exploit may be detected by some anti-malware vendors as Downloader.PDF, Pidief.A or similar names.
The exploit downloads the latest variant of the Gozi Trojan EXE file from an RBN (Russian Business Network) server via anonymous FTP and executes it.
The latest Gozi variant (Gozi.F) installed by this exploit was detected by 26% of 32 of the largest anti-malware vendors at the time of release. It is detected as these various names:
SecureWorks has protections in place for its clients and recommends organizations and computer users lower their risk by following the advice on upgrades and workarounds provided by the vendor:
Other ways to mitigate the risk include:
- Update anti-virus signatures.
- Block FTP network traffic to 220.127.116.11 (Russian Business Network).
- Block HTTP network traffic to 18.104.22.168 (Russian Business Network).
- Warn users not to open PDF files or any other type of email attachment from untrusted sources.
The Gozi snort signatures published previously on the SecureWorks web site will prevent stolen data from being transmitted to the attackers.
SecureWorks has shared the malware samples with anti-virus vendors and has informed law enforcement and US-CERT.