RBN - PDF email Exploit

Thanks to the input from Honeyblog.Org providing detailed confirmation related to the earlier ZDNet article, concerning the latest Gozi Trojan exploit involving PDF files attached to email courtesy of the RBN.



The PDF file attached to an email contains an exploit for the recently disclosed vulnerability involving Adobe PDF and the Microsoft reported security advisory (
here). As stated within this blog earlier the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi Trojan
The exploit which contains shellcode to download a binary from the RBN, the downloaded binary injects itself into several MS Windows processes and collects personal information from the infected PC and sends it to the RBN.


To confirm:






Download binary from IP address 81.95.146.130






Then send your personal data for ID theft to 81.95.147.107



Both 81.95.146.130 and 81.95.147.107 is served by Autonomous System AS 40989 = RBN AS RBusiness Network,


Perhaps more ISPs and users should simply blocklist the whole IP range, in and out?