Russian Crooks Spreading Gozi Trojan with PDFs

[Ban Hammer 14,293]

A malicious PDF attack launched earlier this week is downloading a variant of the Gozi Trojan—the same malware that's been used to steal personal data with a black market value of over $2 million, including bank, retail and payment services account numbers as well as Social Security numbers.

SecureWorks, which originally discovered the Gozi Trojan in February 2007, said the latest attack is coming from the same Russian criminals who launched the February attack.

The Russian Business Network—a Russian ISP that's notorious for hosting illegal or shadowy businesses including child pornography, phishing and malware distribution sites—has had to take down two servers that were getting overloaded due to the success of the exploit, according to SecureWorks.

Scammers are exploiting the San Diego fire. Click here to read more.

The criminals are sending out spam with rigged PDF attachments. The PDFs transform a victim's PDF reader into a malware installer. After a victim clicks on the PDF, it downloads the Gozi variant. Gozi then captures any data entered into SSL-encoded sites, which includes most Internet banking, online retail and corporate intranets. SecureWorks' sources are confirming that the attack is widespread at this point.

The exploit is successfully using a URL-handling vulnerability in Windows XP and Windows Server 2003 running Internet Explorer 7. The rigged PDF file is using a "mailto: option" vulnerability in Adobe Acrobat 8.x to install the Trojan, which in turn is downloading a file that Symantec identified on Oct. 23 as "Downloader." That document is delivered as a piece of spam with a file name such as "BILL.pdf" or "INVOICE.pdf." SecureWorks noted that those names may change.

The spam that's delivering the rigged PDF looks like this: (see link below)

From: Gilbert

Subject: STATEMET indigene

Date: Tue, 23 Oct 2007 08:08:22 +0000

This latest Gozi variant, Gozi.F, is being detected by only 26 percent of 32 of the largest anti-malware vendors at the time of release, according to SecureWorks.

SecureWorks is recommending that users protect themselves by updating anti-virus signatures and by blocking network traffic to RBN, including FTP traffic to 81.95.146.130 and HTTP traffic to 81.95.147.107. Also, users should be warned to keep away from PDF files or other e-mail attachments from untrusted sources.

link

ALSO:

Scammers Exploit San Diego Fire

Predictably, sadly, scammers are already milking the tragic situation by masquerading as charity organizations.

Websense, a security company headquartered in fire-savaged San Diego, is warning that scammers are milking the tragic situation by masquerading as charity organizations.

Websense posted an image showing one suspicious eBay auction purporting to be a request for donations from the San Diego Fire Rescue Relief Effort.

"Please put the item you want to buy aside for a short time and take in consideration of helping," the listing reads. "The money will be used to buy those children a hope because we all know that the families will not be able to it [sic] themselves."

Websense urged potential donors to make sure they're dealing with legitimate organizations, if possible, by taking the initiative to contact agencies rather than responding to solicitations.

"Be very careful of people reporting to be agencies such as the Red Cross asking for donations or requesting you to visit their Web sites," the security company said in its posting. "They may be fraudulent or hosting malicious code designed to steal information such as banking details."

Websense itself has been seeing to its employees' welfare. "Our top priority right now is the safety of our employees and their families," the company said in a release.

Websense's headquarters are outside of the evacuation area and hasn't sustained any damage or outages because of the fires, but on Monday, the company encouraged San Diego-based employees to stay home if necessary. On Tuesday, the company shut down its headquarters so employees could focus on keeping their families safe and dealing with evacuation.

Following wildfires in 2003, the company came up with business continuity plans. It's now running with redundant data centers, research teams and customer service distributed globally to help maintain content protection services for some 50,000 organizations it counts as customers.

"Many employees have company laptops and email-enabled PDAs, and employees can also access the corporate network through the Internet making it possible for most employees to work from remote locations. By providing Web-based access to e-mail and corporate instant messaging tools, most employees can work from virtually anywhere; however, we understand that this is a difficult time and affected employees should focus on their safety and family at this time. We are also encouraging employees to limit wireless access at the height of the crisis, as emergency services are relying on these communications channels to fight the fires," the company said in a release.

link

Edited October 29, 2007 by charlesandnessa

[almaty 19]

that chopf##k needs to be caught and hung by the nabs