Adobe-based Attacks Use PDF to Spread Fake Antivirus

Researchers at the security company 'Sophos' have discovered that attackers are using a PDF file to identify Adobe Reader's version and unleashing a suitable attack code. If exploited effectively, Sophos claims, a sample of fake antivirus gets downloaded and deployed on the target PC.

Chester Wisniewski, Senior Security Advisor at Sophos, states that the first URL takes the user to http://CENSORED/kt/ck_fuh/w###_.pdf. As different from a lot of other malevolent PDF documents, this PDF identifies Adobe Acrobat/Reader's version on the victim's PC and then takes him to a payload, which can exploit the user's un-patched security flaws, as reported by SoftPedia on July 2, 2010.

Wisniewski writes in his blog that the attack exploits CVE-2009-0927, CVE-2008-2992, CVE-2007-5659 and CVE-2009-4324 that exist in Acrobat and Reader versions 9.0.x, 8.1.2 and 7.1.0 and earlier, as reported by Sophos on June 30, 2010.

The researcher additionally explains that the first corrupt PDF detects the victim's Acrobat version and utilizes it to unleash a suitable PDF file for exploitation. If the victim visits the URL that the PDF tries to upload through his Web-browser, he is diverted to Google. If he utilizes Adobe Acrobat/Reader, he receives a malevolent file which starts contaminating Windows computers, Wisniewski adds.

Apparently, the researchers at Sophos claim that the payload is Troj/FakeAV-BKB, which turns off the phishing filter of Internet Explorer. The FAKEAV also labels .exe files as bearing minimal risk and disables systems detecting executables. Moreover, it disables all proxies, which may be preset, implying this malicious software attack home PCs.

The attack doesn't affect anyone who may have made his Acrobat/Reader up-to-date since February 2009. However, many PCs are running without patches.

Commenting on the attack, security researchers stated that the hackers selected the PDF technique possibly to make the detection of the attack more difficult for security investigators. The concept had been further implemented with the payload as merely deployed as well as the 2nd URL accessed through Reader. If accessed through a Web-browser, a redirect would get triggered connecting to google.com.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 13-07-2010

 

All SPAMfighter products offer a free trial!

SPAMfighter box shot

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

SLOW-PCfighter

Optimize your Slow PC for better performance. Try FREE scan now

Full disk or slow disk?
Disk space recovery
and disk optimization. Try FULL-DISKfighter free


Spam Filter for Exchange Server

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove spyware

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software

Antivirus software for your Windows PC - Free 30 days trial

<<<  >>> 

Compatible with Windows 7

Works with Windows Vista

SPAMfighter is

Microsoft Gold Certified Partner

Intel Software Partner