The PDF file attached to an email contains an exploit for the recently disclosed vulnerability involving Adobe PDF and the Microsoft reported security advisory (here). As stated within this blog earlier the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi Trojan The exploit which contains shellcode to download a binary from the RBN, the downloaded binary injects itself into several MS Windows processes and collects personal information from the infected PC and sends it to the RBN.
To confirm:
Download binary from IP address 81.95.146.130
Then send your personal data for ID theft to 81.95.147.107
Both 81.95.146.130 and 81.95.147.107 is served by Autonomous System AS 40989 = RBN AS RBusiness Network,
Perhaps more ISPs and users should simply blocklist the whole IP range, in and out?
No comments:
Post a Comment