Ah the world of malware. It seems that the Gozi trojan/worm woke up today to start spewing out PDF spam again. Only to shut down again. Weirdness.
Was this simply an attempt to blast out an attack against the Acrobat reader vuln? It would appear that this was short lived in order to take advantage of the short time window before a patch was available.
From CSO Magazine:
The Gozi Trojan, a bot that fronted a sophisticated hacking subscription service earlier last year (exclusive, comprehensive coverage here), was found again in the wild today infecting PCs at a healthy clip through the use of PDF spam. But, perhaps a victim of its own success, the servers that hosted the malware started to clog their own network and pull down performance, causing the service provider hosting the servers to shut them down voluntarily, according to SecureWorks security researcher Don Jackson.
Jackson, who last January accidentally discovered the Gozi Trojan and the service it connected to, called 76service, said the latest distribution of the Gozi bot is the first in-the-wild exploit of a vulnerability in Adobe Acrobat version 8.x. The Acrobat vulnerability is based on the fact that in certain PDF pages will automatically execute a “mailto:” command when the file is opened. Hackers manipulate this such that the command gets passed off to the operating system instead of an e-mail client. The command tells the machine to download a small file called a downloader, which is simply another command that in turn tells the machine to download the Gozi bot.
Although it has been tweaked to carry out many duties, Gozi is primarily a form grabber, meaning it takes information entered into online forms, such as user name and passwords. It targets banking forms primarily for sensitive financial credentials. It has the capability of capturing sensitive data in the time after the data is typed but before it is encrypted with SSL–meaning that the little glowing lock on the browser may be on, but the information is still being taken.
Victim of it’s own success or is it possible that the clients who bought into this botnet attack only paid for a short burst?
[tags]Gozi Trojan, Malware, Worm, Virus[/tags]
Comments