Tuesday, October 23, 2007 2:17 PM
cmosby
Symantec Security Response Weblog: When PDF's Attack... Again!
When PDF's Attack... Again!
Some months ago I reported on a cross site scripting vulnerability relating to PDF files and browser handling of them. As it turned out, the vulnerability was not used in the wild much at all. Fast forward to October 2007, where we now have a new Adobe PDF vulnerability on our hands. First disclosed on September 20, 2007 by “pdp” on the Gnucitizen Web site, it was subsequently patched by Adobe yesterday.
One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.
The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:
- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf
The emails are using the following subject lines (note the misspellings):
- INVOICE alacrity
- INVOICE depredate
If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe. This downloaded file is already detected by Symantec as Downloader.
Symantec antivirus users with definitions sets of October 23, 2007 revision 008 or greater are protected from this threat. We recommended that users update their antivirus product's definitions and their Adobe Reader or Acrobat software by applying the relevant vendor patch. Finally, treat any PDF documents with extreme caution.
Posted by Hon Lau on October 23, 2007 07:45 AM
Source: Symantec Security Response Weblog: When PDF's Attack... Again!
Filed under: Security and Anti-Virus, Internet Hacks, Internet Applications, Spam\Phishing