New Group Joins Russians in Evil PDF Attack

Spamming of the rigged files reached what researchers called "massive" proportions the weekend of Oct. 27 and 28.

Another group has joined the Russians to modify PDFs and jack up spamming of the rigged files to a level that reached what researchers called "massive" proportions over the weekend.

"The default e-mail list [a sampler] that comes with one gmail spam bot contains 10,000 starter addresses," Don Jackson, a security researcher with SecureWorks, told eWEEK in an e-mail on Oct. 29. "Weve seen at least 2,200 messages from that list before the end of last week. One university in Australia [was] seeing about 400/day over the weekend. A large firm in Sweden has seen 1,300 since Thursday (when the news broke) with only about 250 in the last day."

The malicious PDF attack detected on Oct. 25 has been downloading a variant of the Gozi Trojan—the same malware thats been used to steal personal data with a black market value of over $2 million, including bank, retail and payment services account numbers as well as Social Security numbers.

SecureWorks, which originally discovered the Gozi Trojan in February 2007, determined that the current attack is coming from the same Russian criminals who launched the February attack.

Jackson said its clear that there are now two groups behind the malware attack and that the knowledge of how to modify the PDF is public across the cyber-crime underground.

Starting later in the weekend, a group affiliated with the Gromozon Trojan and the LinkOptimizer Trojan attacks started to spread their own brand of malware using a variation on the PDF exploit, he said.

Using names like "report.pdf" and "debt.2007.10.31.816537.pdf", the PDF file installs several different pieces of malware, including the Zeus variant of the PRG Trojan. It uses anti-debug/anti-VMware tactics to evade analysis and slowly downloads other files to the infected host via BITS (Background Intelligent Transfer Service), a lightweight HTTP-based protocol that is usually allowed through firewalls because its what Microsoft Update uses, Jackson said.

The new PDF malware is communicating back to servers that are not on the Russian Business Network, but instead have addresses in Malaysia, although SecureWorks is detecting data on the malware thats in Russian.

The new group is better at spamming than the first, Jackson said.

"Message volume estimates based on different filenames [used] in the two attacks shows the newer Gromozon messages now make up more than half of the new PDF exploit spam being sent currently," he said.

Early last week, Adobe fixed a flaw in its Acrobat Reader that has been used as a vector for the attack, which has been using a cocktail of Trojan downloaders and rootkits to steal data from infected computers. But the primary glitch is actually an unpatched vulnerability in Microsofts Windows ShellExecute function.

The same day that the evil PDF onslaught was first detected, Microsoft put out an updated security advisory to warn customers of the PDF-borne exploit.

In that update, Microsoft Security Response Centers Bill Sisk said that applying third-party application patches such as that put out by Adobe will give some protection, but they only close down one road to infection, not the primary cause.

"Third-party applications are currently being used as the vector for attack and customers who have applied the security updates available from these vendors are currently protected," Sisk wrote in the posting. "However, because the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third-party updates do not resolve the vulnerability—they just close an attack vector."

Microsoft now has teams working to patch the hole, Sisk said, although they are treading carefully.

"As part of our SSIRP process, we currently have teams worldwide who are working around the clock to develop an update of appropriate quality for broad distribution," he said. "Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues."


NAC cant weather the Storm. Click here to read more.

The spam rate has ebbed for now, but researchers fear this may be the eye of the storm.

"Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning," F-Secure said in an Oct. 29 posting.

SecureWorks Jackson agreed that the PDF attack looks to be on a downward trend, likely due to the unique signature use in attacks and because of major ISPs use of in-the-cloud filters.

But although the current attack is mitigated, its not over by any means, he said.

"The problems are now [that] IP addresses can be reassigned; a new wave of spam could use a new IP address on a more bulletproof hosting provider; [and] the PDF could use alternative forms of encoding or perhaps even built-in DRM to bypass current filters. This threat will be dangerous for some time," Jackson said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.