Gozi Trojan Resurfaces Briefly, Security Researcher Finds

The malware worm behind an identity theft service returns to exploit vulnerability in Adobe Acrobat 8.x, then disappears.

The Gozi Trojan, a bot that fronted a sophisticated hacking subscription service earlier last year, was found again in the wild today infecting PCs at a healthy clip through the use of PDF spam, according to SecureWorks security researcher Don Jackson.

MORE ON the Malware Threat

Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy

Gozi and the Subscription Hacking Model

It appeared the servers that hosted the malware started to clog their own network and pull down performance, causing the service provider hosting the servers to shut them down voluntarily, Jackson said.

In January, Jackson accidentally discovered the Gozi Trojan and the service it connected to, called 76service. He said the latest distribution of the Gozi bot is the first in-the-wild exploit of a vulnerability in Adobe Acrobat version 8.x. The Acrobat vulnerability is based on the fact that in certain PDF pages will automatically execute a "mailto:" command when the file is opened. Hackers manipulate this such that the command gets passed off to the operating system instead of an e-mail client. The command tells the machine to download a small file called a downloader, which is simply another command that in turn tells the machine to download the Gozi bot.

You can read more about this development at CIO's sister publication, CSOonline.com.

This story, "Gozi Trojan Resurfaces Briefly, Security Researcher Finds" was originally published by CSO.


Copyright © 2007 IDG Communications, Inc.

7 secrets of successful remote IT teams