Attack of the PDFs

Attack of the PDFs

Summary: Less than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters.


Attack of the PDFsLess than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters.

The discovery of the active attacks have underlined the need for Windows users to immediately scan machines for vulnerable software (I recommend the Secunia's free software inspector) and immediately apply all necessary patches.

According to Erik Kamerling, an analyst in Symantec's DeepSight Threat Management System team, the e-mail-borne attack is using the 'mailto: option' vulnerability discussed by Petko D. Petkov in September and confirmed earlier this month by Adobe.

[ SEE: Free utility looks for missing security patches ]

Symantec has tagged the threat as Trojan.Pidief.A, a malware file that's being used to lower security settings and download more malicious executables on to the compromised computer. The rigged document is delivered as a piece of spam with a filename such as 'BILL.pdf' or 'INVOICE.pdf'.

When executed, Kamerling said the malicious code tries to disable the Windows Firewall with a 'netsh firewall set opmode mode=disable' command, and then downloads a remote file via FTP from (the remote file is 'ldr.exe' and is a Downloader trojan).

At 4:00 PM EST, the host is alive and still currently serving 'ldr.exe' over FTP. This server is known for hosting malicious software, Kamerling warned.

The DeepSight team is recommending that network administrators:

  • Block the delivery of PDF files in email.
  • Advise employees to not read or execute PDF files from unknown or untrusted sources.
  • Block access to the network and IP address involved in this attack.
  • Apply the patches outlined in Adobe Advisory APSB07-18 as soon as possible.

Ken Dunham, director of global response at iSIGHT Partners, said the attackers are using two rootkit files to sniff and steal financial and other valuable data from hijacked computers. The rootkits are installed in the Windows directory as 9129837.exe and new_drv.sys.

[SEE: ‘High risk’ zero-day flaw haunts Adobe Acrobat, Reader ]

"Anti-virus detection is extremely poor for the exploit files and payloads involved in this attack, averaging only 26 percent out of 39 updated programs tested during the time of attack," Dunham said, nothing that the two attack servers are linked to the notorious Russian Business Network (RBN).

Dunham has found linkages between this attack and the zero-day Vector Markup Language (VML) attacks from September 2006. "Servers in the attack are also linked back to other malicious attacks involving Animated Cursor exploitation and Snifula and CoolWebSearch installations of code," he said.

Topics: Collaboration, Enterprise Software, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Adobe's misleadingly broken 7.0.x updater

    So, so far there's no fix for anything earlier than version 8.0. (And BTW have you read Adobe's wording in their release about this? It says that the update "may be installed" over 8.0. As a technical writer, I can tell you that that's weasel-wording; it signals to me that Adobe may well not have fully tested whether or not the update for 8.l.1 actually fixes 8.0.) And so in Acrobat 7.0.9 Professional, when I check for updates, I'm shown a list that indicates that updates are available for 7.0.5, 7.0.7, 7.0.8, and 7.0.9.

    So I install the update for 7.0.9, which ultimately requires that I reboot my system. After I do so, and I again check for updates, *I see the same list*.

    I have 7.0.9; I shouldn't see updates for earlier versions. I install the update for 7.0.9; I shouldn't see it again.

    The broken 7.0.x updater will lull many who check now that they are getting an update that addresses this vulnerability when they're not.

    At this point, not having a vulnerability POC site I can go to check whether the fix works, what I'd like to know is this: Since the most recent install of a program that associates a give filetype or filetypes with itself generally grabs associations from existing apps, have I provisionally protected my dopey Acrobat 7.0.9 intallation from automatic IE-vectored drive-bys if I install Acrobat Reader 8.1.1? If so, I should be able to get into trouble with 7.0.9 only if I manually open a PDF file with it.

    Or so I imagine.
    • RE: Attack of the PDFs

      <a href="">fake louis vuitton bags</a>
    • RE: Attack of the PDFs

      <a href="">omega replica watches</a>
  • Reason 4,534 not to use Windows (NT)

    • re:Reason 9,129,837.exe NOT to use Winblows (nt)

  • Use Foxit Reader

    It is quicker to load, and it unloads from memory when you close a PDF page and there are no security issues. It is also free.
    • yep

      It also runs faster, is a lot smaller, uses less resources, and has a better interface. Any other reasons to use it?
      • Yes there is.

        It doesn't hang the browser and it always comes out of memory, especially Mozilla. It also doesn't make me go to preferences and shut off big brother. Maybe one of these days they will write a program that doesn't try to take over and advertise in the tray.
    • UNINSTALL Adobe Acrobat and get Foxit Reader

      I stopped using Acrobat a long time ago, partly because it had so many security holes that required downloading the entire program, which is huge.
      I used acrobat 4 for years because it was safe and good, but newer pdf's required acrobat 7.
      I have some clients who are on dialup, and telling them to download a 25MB (I don't even know how big the latest Acrobat file is, probably even bigger) file every 3 weeks is a pain.
      • Not completely

        After uninstalling the latest Acrobat, it leaves slivers all over in the registry. The last good version was 5.05 by most sources, but nags for an update on newer PDFs. Foxit doesn't nag and opens all of them but some features may not show. But hell a eader is to view the content which it does fine. All new installs gets Foxit.
    • Great, nice alternative!

      Gee thanks! I really have to take my hat off to you for the link.

      This open source app Foxit is amzing - and it opens PDFs as fast as *.docs and *.txts.

      Byebye Adobe - hello Foxit!

      Once again, many thanks - you're a champion. :^)
      • You're Welcome

        Adobe reeked havoc with Mozilla by not unloading from memory so I did 1 hour of research to find an alternative over 1 year ago. Never went back and neither did the customers. But you have to use "save as" to keep a copy locally. Good luck.
  • Reason 4,534 to run as a standard user account

    "the malicious code tries to disable the Windows Firewall with a ?netsh firewall set opmode mode=disable? command"

    Fails under a standard user account. Standard users can never disable the firewall.

    "The rootkits are installed in the Windows directory"

    Fails under a standard user account. Of course that's not to say malware couldn't be installed in the user's temp directory -- but this way it would be confined to the given user and wouldn't affect any other users, so you can at least log off and back on as an administrator and clean out the infected account.

    Plus, if the malware in question is a true "rootkit", meaning it's trying to conceal itself by modifying the kernel, this will fail as well because standard users can't install kernel drivers.
    • Amen!

      And off all the computers I've bought or set up, I have yet to see a clear explanation of WHY one should NEVER run day-to-day on the admin login or with admin rights! In fact, I've noticed that most computers coming from "big box" retailers don't even talk about user vs. admin accounts ... they just launch into the DVD burning tutorial or the how to get IE running so one can surf the 'net (like the only reason to buy a computer is to copy movies and chat online). The after-market computer support folks will crucify me but I think all system sold at retail level should be pre-configured with an admin account (with password) and one user account (without password). The admin password should be in a sealed envelope attached to the box at time of assembly (like the COA sticker, eh?). That way the user would login to the user account automatically ('cause it don't need no stupid password, eh?). Only when he wants to do something requiring use of the manual will he need the password. And then having to go to the trouble of getting it out will make the user think twice ... and wouldn't that be news, eh!
      • Sort of like what Linux does .

        When you are first configuring Linux , you are asked to create a root password .
        Afterwards you are forced to create an account for you (limited) as a limited user .
    • another reason to use the UAC .

      another reason to use the UAC .
    • What about shared folders?

      I catch a lot of clients who manage to run under restricted accounts only to find out they have shared folders, and fast user switching wide open.

      Once they log on as an Administrator BOOM!

      Not to mention about a dozen other things you got to do to actually batten Windows(XP sp2) down.
  • again Linux is safe

    how many times Linux beat windoze on security front?
    Linux Geek
    • Nothing is safe!

      No matter what software is used and reguardless of the type of encryption, all data streams are subject to attack and can be hacked into, eventually. Never think that your information is absolutely secure. It is not! All crackers should be drawn and quartered!
      • Except for Mac OS

        Nah, nah!