PDF spam makes an appearance
- By William Jackson
- Nov 02, 2007
The first exploits of a vulnerability in Adobe Acrobat and Reader on Windows have been reported in the wild by researchers at SecureWorks.
Senior researcher Don Jackson said the exploit being distributed as a PDF in spam downloads a variant of the Gozi Trojan. The Trojan is programmed to capture data entered into secure Web sites, ensuring that it will catch most financial or other transactions that can yield valuable personal and account data.
The Gozi Trojan dates to February and has been used by the Russian Business Network to steal large volumes of personal data. The latest version of it, Gozi.F, was detected by only 26 percent of the 32 largest anti-malware vendors as of Oct. 23, SecureWorks said.
The PDF exploit is the first found in the wild of a vulnerability detected in September and described as CVE-2007-5020 in the National Vulnerability Database. It can enable the execution of malicious code through a doctored PDF file.
Adobe rated this vulnerability, which affects users on Windows XP or Windows 2003 with Internet Explorer 7 installed, as critical. Exploitation requires downloading the malicious file. The company recommended Oct. 22 that affected users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1.
The PDF is labeled as a bill or invoice and can be included as an attachment or represented as a PDF file icon. In either case, when opened, it downloads a first-stage downloader .exe file from the Russian Business Network hacker site by anonymous File Transfer Protocol and executes it. The downloader then installs the Trojan, which is used to capture and send personal data.
In addition to updating
antivirus signatures, SecureWorks advises administrators to block traffic to the Russian Business Network by blocking FTP traffic to 220.127.116.11 and HTTP traffic to 18.104.22.168.
William Jackson is freelance writer and the author of the CyberEye blog.