ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

FIFA World Cup themed malware campaign spreads malicious PDF files

By | March 26, 2010, 12:59pm PDT

Summary: Researchers from Symantec are reporting on an ongoing targeted malware campaign using a FIFA World Cup 2010 theme, in an attempt to trick end users into executing a malicious PDF file, exploiting a recently patched flaw in Adobe Reader.

Researchers from Symantec are reporting on an ongoing targeted malware campaign using a FIFA World Cup 2010 theme, in an attempt to trick end users into executing a malicious PDF file, exploiting a recently patched flaw in Adobe Reader.

More details on the campaign:

  • The attacker(s) have downloaded Greenlife’s PDF document, and changed it to include malicious code. They then attempted to email the malicious PDF to a user in a major international organisation that brings together governments from all over the world. We should emphasise that downloading the PDF from the Greenlife website is perfectly safe at the time of writing this blog.
  • The attack makes use of a recently patched vulnerability in Adobe Reader – CVE-2010-0188. The patch for this critical rated vulnerability was released by Adobe on February 16, 2010. Since then we have observed a large number of targeted attacks attempting to exploit this vulnerability. Proof-of-Concept exploit code is available in the Internet which is contributing to the large number of observed attacks. The exploit makes use of a flaw in the TIFF file parsing in Adobe Reader. In particular, a stack overflow is caused by inserting a TIFF image into the PDF with a specially crafted “DotRange” tag.

Anticipating the logical increase of FIFA World Cup 2010 themed malicious activity, last month, the company released some stats showing the dynamics of malicious sites and spam campaigns using the World Cup as theme.

With the event scheduled to take place in June, 2010, cybercriminals will be the first to take advantage of the anticipated traffic flow, coming from gullible bargain seekers (Survey: Millions of users open spam emails, click on links).

According to recent reports, malicious PDF files not only comprised 80 percent of all exploits for 2009, but also, represent the preferred infection vector for targeted attacks in general, for the first time ever surpassing the use of malicious Microsoft Office files.

Users should not just update their Adobe products, or perhaps even consider an alternative PDF reader, if truly paranoid. They should take a comprehensive approach when dealing with all the 3rd party applications and browser plugins, currently installed.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., FIFA, Malware, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
12
Comments
Add Your Opinion

Join the conversation!

Just In

RE: FIFA World Cup themed malware campaign spreads malicious PDF files
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Alternative Reader, Alternative O/S
Dietrich T. Schmitz, Linux Advocate 26th Mar 2010
Folks, Ubuntu Linux 9.10 Karmic comes with AppArmor installed by default and the default document viewer Application (GNOME) Evince is 'sandboxed' in its own AA profile.

See the AA status of my machine here:


dietrich@dietrich-laptop:~$ sudo aa-status
[sudo] password for dietrich: 
apparmor module is loaded.
11 profiles are loaded.
11 profiles are in enforce mode.
   /sbin/dhclient3
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/firefox-3.6/firefox-*bin
   /usr/sbin/cupsd
   /usr/sbin/tcpdump
   /usr/share/gdm/guest-session/Xsession
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode :
   /sbin/dhclient3 (1600) 
   /usr/lib/firefox-3.6/firefox-*bin (2593) 
   /usr/sbin/cupsd (1238) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.


No amount of patching is going to help with the ongoing litany of Zero-Day exploits.

What Microsoft Windows needs (and doesn't have) is what Linux provides by default: an LSM module, AppArmor, which runs in its own protected memory external to the system kernel and 'App' (i.e. Adobe Reader)

Microsoft's security model runs all brokering inside the system kernel.

Linux LSM does not.

Exploits are stopped cold in their tracks by AA.

Be safe and use Ubuntu Linux.

Ubuntu Linux: The safest operating system on the planet.

I stake my reputation on it.

Dietrich T Schmitz
GNU/Linux Advocate
0 Votes
+ -
That looks like a lot of work
Loverock Davidson 26th Mar 2010
I can't figure out why linux needs so much extra maintenance to keep it secure. Other OS's just work and are secure out of the box, but not linux. Why is that?
0 Votes
+ -
That looks like a lot of nonsense
AzuMao 26th Mar 2010
I can't figure out why you're unable to comprehend the fact that Linux-based operating systems are far more secure out of the box than Windows and OSX.

Other Windows fanboys just focus on aspects where Windows is ahead (such as having more video games), but not you. Why is that?
0 Votes
+ -
That looks like a lot of penguin poo
j@... 29th Mar 2010
I can't figure out why you're unable to
comprehend the fact that an Etch-A-Sketch is
far more secure out of the box than Linux-based
operating systems.

Granted, there's a lot less software for the
Etch-A-Sketch, and less adoption of the
platform by the world at large, but that also
means fewer black hats are writing Etch-A-
Sketch virii and malware.

And that makes it more inarguable more
secure...
  • Flagged
0 Votes
+ -
The Etch-A-Sketch isn't a desktop operating system.
AzuMao 29th Mar 2010
You can't use browsers like Internet Explorer, Firefox, Safari or chrome on it.

You can't watch videos from sites like YouTube, Hulu, or Vimeo on it.

You can't chat with people over AIM/ICQ/MSN/Y!M/Xfire on it.

You can't use document editors like Abiword, OpenOffice.org or Microsoft Office on it.

You can't use photo editors like GIMP, Aviary Phoenix or Photoshop on it.

You can't use music players like Winamp, Audacious, or Amarok on it.

You can't use video players like Windows Media Player, VLC, Totem, Xv or MPlayer on it.

You can't play games like Guild Wars, Command & Conquer 3, Half-Life 2, Silkroad Online, Spore, Call of Duty 2/4/5/6, Live for Speed, World of Warcraft, Final Fantasy XI Online, EVE Online, StarCraft vanilla/Brood War, Left 4 Dead, Counter-Strike: Source, Sims 3, Supreme Commander, Battlefield 2, TA: Spring, Nexuiz or Urban Terror on it.

You can't have a point-and-click GUI interface with icons and such on it.

You can't run most of the Internet on it.

You can't use it to render Avatar, run the largest particle accelerator in the world, run the largest bank in the world or run all the TiVos in the world.

You can't watch 1080p 7.1 surround sound movies on it.

You can't run it on desktops, laptops, notebooks, smartphones, Xboxes, Wiis, PS3s, servers, and satellites.

You can't use it to run several of Microsoft's own websites.


Linux, on the other hand, does all this and is used directly (on their own computers) by several million people on a regular basis. By over a billion if you count people using services provided by it.




But hey, other than those little flukes, great comparison! happy
0 Votes
+ -
Secure
Clayman1000x 30th Mar 2010
Then why do windows users have to have antivirus and such if they are so secure out of the box? Moron.
0 Votes
+ -
Not another OS Battle
siradude Updated - 29th Mar 2010
Not another this OS is Better than that OS thread...

I say, let the ATF declare open season on all malicious code creators and lower the price of bullets!
0 Votes
+ -
*sigh* I'm afraid you're wrong (nt)
gfjim 29th Mar 2010
(nt)
0 Votes
+ -
Great idea.
AzuMao 30th Mar 2010
Please excuse me while I upload some malware using your computer, and give your neighbors some bullets.
0 Votes
+ -
Great Idea... Wrong Interpretation.
siradude 8th Apr 2010
Read my Post...

It said "malicious code creators" not victims or even spreading... I meant CREATORS!

Read much?
0 Votes
+ -
Oops, I forgot to mention "after I write your name on it". Or do we have..
AzuMao 8th Apr 2010
..thought police already? I guess your idea might work, then.


But that's a pretty big stretch, even for you.
0 Votes
+ -
RE: FIFA World Cup themed malware campaign spreads malicious PDF files
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix