NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0328 Russian Cyber Criminals Spread Gozi Trojan with PDFs:
The Russian Business Network (RBN) - a Russian internet service provide known for
hosting illegal or shadowy businesses including child pornography, phishing, and
malware distribution sites - has been using malicious PDFs to broadcast a Gozi
Trojan variant since 23 October. SecureWorks, which originally discovered the Gozi
Trojan in February, said RBN was resopnsible for the latest operation, as it was
for the initial one, and that the success of the exploit had caused RBN to take down
two servers that were getting overloaded. SecureWorks sources confirmed that the
attack is widespread.
The Gozi Trojan has been used to steal personal data with a black market value of
over $2 million, including bank, retail, and payment services account numbers, as
well as Social Security numbers, according to the report.
The criminals are sending out spam with rigged PDF attachments that transform a
victim's PDF reader into a malware installer. Clicking on the PDF downloads the
Gozi variant, which then captures any data entered into SSL-encoded sites, including
most Internet banking, online retail, and corporate intranets.
The exploit is successfully using a URL-handling vulnerability in Windows XP and
Windows Server 2003 running Internet Explorere 7. The rigged PDF file is using a
"mailto: option" vulnerability in Adobe Acrobat 8.x to install the Trojan, which in
turn is downloading a file that Symantec identified on 23 October as "Downloader."
That document is delivered as a piece of spam with a file name such as "BILL.pdf"
or "INVOICE.pdf." SecureWorks noted that those names may change.
According to a separate press report, only 26% of the major AV providers protect
against the new variant.
(www.eweek.com 25OCT07 // www.theregister.co.uk 26OCT07)