Attack of the PDFs

Summary:Less than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters.

Attack of the PDFs
Less than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters.

The discovery of the active attacks have underlined the need for Windows users to immediately scan machines for vulnerable software (I recommend the Secunia's free software inspector) and immediately apply all necessary patches.

According to Erik Kamerling, an analyst in Symantec's DeepSight Threat Management System team, the e-mail-borne attack is using the 'mailto: option' vulnerability discussed by Petko D. Petkov in September and confirmed earlier this month by Adobe.

[ SEE: Free utility looks for missing security patches ]

Symantec has tagged the threat as Trojan.Pidief.A, a malware file that's being used to lower security settings and download more malicious executables on to the compromised computer. The rigged document is delivered as a piece of spam with a filename such as 'BILL.pdf' or 'INVOICE.pdf'.

When executed, Kamerling said the malicious code tries to disable the Windows Firewall with a 'netsh firewall set opmode mode=disable' command, and then downloads a remote file via FTP from 81.95.146.130 (the remote file is 'ldr.exe' and is a Downloader trojan).

At 4:00 PM EST, the host 81.95.146.130 is alive and still currently serving 'ldr.exe' over FTP. This server is known for hosting malicious software, Kamerling warned.

The DeepSight team is recommending that network administrators:

  • Block the delivery of PDF files in email.
  • Advise employees to not read or execute PDF files from unknown or untrusted sources.
  • Block access to the network and IP address involved in this attack.
  • Apply the patches outlined in Adobe Advisory APSB07-18 as soon as possible.

Ken Dunham, director of global response at iSIGHT Partners, said the attackers are using two rootkit files to sniff and steal financial and other valuable data from hijacked computers. The rootkits are installed in the Windows directory as 9129837.exe and new_drv.sys.

[SEE: ‘High risk’ zero-day flaw haunts Adobe Acrobat, Reader ]

"Anti-virus detection is extremely poor for the exploit files and payloads involved in this attack, averaging only 26 percent out of 39 updated programs tested during the time of attack," Dunham said, nothing that the two attack servers are linked to the notorious Russian Business Network (RBN).

Dunham has found linkages between this attack and the zero-day Vector Markup Language (VML) attacks from September 2006. "Servers in the attack are also linked back to other malicious attacks involving Animated Cursor exploitation and Snifula and CoolWebSearch installations of code," he said.

Topics: Collaboration, Enterprise Software, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.