Gozi Trojan Resurfaces Briefly, Security Researcher Finds
The malware worm behind an identity theft service returns to exploit vulnerability in Adobe Acrobat 8.x, then disappears.
It appeared the servers that hosted the malware started to clog their own network and pull down performance, causing the service provider hosting the servers to shut them down voluntarily, Jackson said.
In January, Jackson accidentally discovered the Gozi Trojan and the service it connected to, called 76service. He said the latest distribution of the Gozi bot is the first in-the-wild exploit of a vulnerability in Adobe Acrobat version 8.x. The Acrobat vulnerability is based on the fact that in certain PDF pages will automatically execute a "mailto:" command when the file is opened. Hackers manipulate this such that the command gets passed off to the operating system instead of an e-mail client. The command tells the machine to download a small file called a downloader, which is simply another command that in turn tells the machine to download the Gozi bot.
You can read more about this development at CIO's sister publication, CSOonline.com.
Gozi



