Skip to Main ContentSkip to Footer
Threat Analysis

PDF Exploit Spam Used to Install Gozi Trojan in New Attack

October 22, 2007
  • Author: Don Jackson
  • Date: October 22, 2007

On the evening of Tuesday, October 23, 2007, SecureWorks began to notice a large volume of spam using the gmail.com domain and containing PDF attachments. Those attachments were in fact the first exploits of a vulnerability in the handling of "mailto" URIs in Adobe Acrobat 8.x (CVE-2007-5020) ever found "in the wild."

The spam messages look like this:

From: Gilbert  <[email protected]>
Subject: STATEMET  indigene
Date: Tue, 23 Oct 2007 08:08:22  +0000
fanner ctenoid varment<<BILL.pdf>>

The attachment may instead be represented by an icon used to represent PDF files. These attachments use filenames such as BILL.pdf or INVOICE.pdf, but those filenames, as well as the sender and message content itself, may change.

The attached exploit may be detected by some anti-malware vendors as Downloader.PDF, Pidief.A or similar names.

The exploit downloads the latest variant of the Gozi Trojan EXE file from an RBN (Russian Business Network) server via anonymous FTP and executes it. 

The latest Gozi variant (Gozi.F) installed by this exploit was detected by 26% of 32 of the largest anti-malware vendors at the time of release.  It is detected as these various names:

  • OrderGun
  • Orderjack
  • Germ
  • Small.BS
  • Pinch
  • Snifula
  • Ursnif
  • CWS
  • Infostealer
  • Zlob

SecureWorks has protections in place for its clients and recommends organizations and computer users lower their risk by following the advice on upgrades and workarounds provided by the vendor:

http://www.adobe.com/support/security/bulletins/apsb07-18.html

Other ways to mitigate the risk include:

  • Update anti-virus signatures.
  • Block FTP network traffic to 81.95.146.130 (Russian Business Network).
  • Block HTTP network traffic to 81.95.147.107 (Russian Business Network).
  • Warn users not to open PDF files or any other type of email attachment from untrusted sources.

The Gozi snort signatures published previously on the SecureWorks web site will prevent stolen data from being transmitted to the attackers.
SecureWorks has shared the malware samples with anti-virus vendors and has informed law enforcement and US-CERT.


Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.