Evil PDFs are planting Gozi, the Trojan Horse that stole millions in
February

[Exploits of new PDF security threat surge over weekend...Microsoft
working on it, Adobe issues patches...]

According to Dunham [director of response at iSight Partners] and
other researchers, the infamous Russian Business Network (RBN), a
collective of cybercriminals, is behind the PDF assault. When
recipients open an attack PDF, a combination of Trojan Horses,
downloaders and rootkits strike, knocking out the Windows firewall and
installing code that captures all information entered into any SSL-
secured form on a Web page. That information is then transmitted back
to RBN....

The reason Microsoft is involved is that while the current attacks are
based on malformed PDFs, the real vulnerability lies in Windows XP and
Windows Server 2003 code, not in Adobe's, Sisk [a member of the
Microsoft security response team] acknowledged. "The vulnerability
mentioned in this advisory is in the Microsoft Windows ShellExecute
function," he said. "These third-party updates [such as Adobe's fix]
do not resolve the vulnerability, they just close an attack vector."

His admission is the clearest yet from Microsoft that the updates
produced by Adobe and similar fixes issued by Mozilla for Firefox and
Skype for its flagship VoIP software would have been unnecessary if
Windows had been patched against problems in URI protocol handlers,
which let browsers run other programs via commands in a URL.

This northern summer, researchers argued over who was responsible for
URI protocol handler vulnerabilities that were beginning to surface.
Microsoft strenuously denied that its software was at fault until
earlier this month, when it issued the advisory Sisk referenced, and
said it would create a patch.

"This may be Microsoft's first public acceptance that this bug is in
fact a Microsoft vulnerability," said Andrew Storms, director of
security operations at nCircle Network Security.

[Exploit installs Gozi, which has cost $$ before....]

Gozi then and now works much the same way... Any information entered
into a Web page form secured by SSL is nabbed, then sent to the RBM
hackers. Virtually every log-on for accessing online bank or brokerage
accounts and every major e-tailer order form are secured with SSL, and
thus in danger of being stolen by Gozi.

Unlike in February, when RBN carelessly exposed a server containing
the stolen data -- which Jackson discovered -- the current attack
results are unknown. "They've gotten smarter about where they store
their data."

If Jackson is right about the RBN hackers' technical skills, the
amount they'll steal this time should prod Microsoft to push out a
patch sooner rather than later.

"These guys are good," said Jackson. "They're right up there with the
Windows kernel developers as far as programming goes. [Ha! Maybe
better!] They're very, very talented. And once they have a foot in the
door, they can use that [talent] to force their way in."


http://www.pcworld.idg.com.au/index.php/id;796926581