Less than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters.
The discovery of the active attacks have underlined the need for Windows users to immediately scan machines for vulnerable software (I recommend the Secunia's free software inspector) and immediately apply all necessary patches.
According to Erik Kamerling, an analyst in Symantec's DeepSight Threat Management System team, the e-mail-borne attack is using the 'mailto: option' vulnerability discussed by Petko D. Petkov in September and confirmed earlier this month by Adobe.
Symantec has tagged the threat as Trojan.Pidief.A, a malware file that's being used to lower security settings and download more malicious executables on to the compromised computer. The rigged document is delivered as a piece of spam with a filename such as 'BILL.pdf' or 'INVOICE.pdf'.
When executed, Kamerling said the malicious code tries to disable the Windows Firewall with a 'netsh firewall set opmode mode=disable' command, and then downloads a remote file via FTP from 220.127.116.11 (the remote file is 'ldr.exe' and is a Downloader trojan).
At 4:00 PM EST, the host 18.104.22.168 is alive and still currently serving 'ldr.exe' over FTP. This server is known for hosting malicious software, Kamerling warned.
The DeepSight team is recommending that network administrators:
- Block the delivery of PDF files in email.
- Advise employees to not read or execute PDF files from unknown or untrusted sources.
- Block access to the network and IP address involved in this attack.
- Apply the patches outlined in Adobe Advisory APSB07-18 as soon as possible.
Ken Dunham, director of global response at iSIGHT Partners, said the attackers are using two rootkit files to sniff and steal financial and other valuable data from hijacked computers. The rootkits are installed in the Windows directory as 9129837.exe and new_drv.sys.
"Anti-virus detection is extremely poor for the exploit files and payloads involved in this attack, averaging only 26 percent out of 39 updated programs tested during the time of attack," Dunham said, nothing that the two attack servers are linked to the notorious Russian Business Network (RBN).
Dunham has found linkages between this attack and the zero-day Vector Markup Language (VML) attacks from September 2006. "Servers in the attack are also linked back to other malicious attacks involving Animated Cursor exploitation and Snifula and CoolWebSearch installations of code," he said.