Malicious PDF on the Loose
Just a day had passed when Adobe plugged a serious security loophole in its Reader and Acrobat programs and now unscrupulous mischief-mongers are flooding people's inboxes with malware-infected PDF files that attempt to hijack susceptible computers remotely.
The malware, recognized by Symantec researchers as Trojan.Pidief.A, is embedded in PDF files attached to a large number of e-mails, as published by The Register on October 24, 2007.
According to a release from SANS Internet Storm Center, the spam characteristically targets particular businesses or organizations. Spam e-mails generally bear subjects such as "statement", "invoice" or "bill" and hardly contain any text in the body. When the attached PDF document is opened with a vulnerable version of Adobe software, the machine generates codes that lower the security settings of Windows and release a flock of nasty malware.
Talking about exploits, Justin Bertman, Manager of Webroot's Threat Research Development, said that the exploit mechanism works by disabling the built-in Windows Firewall. It then uses FTP to download and execute a file. The exploit is new-found, but the actual content that is downloaded and run is rather old. The statement was published by Channel Web Network on October 23, 2007.
James Heimbuck, Head of Definition Development at Webroot, said that this PDF exploit seems to be a spam that, in all probability, originates from a phishing network in Russia. He added that it is a Trojan phisher named Snifula, which is quite old and not new a threat. Besides, the Webroot team hasn't seen any spam outbursts being unleashed through the Adobe susceptibility as yet. This statement was published by Channel Web Network on October 23, 2007.
Even though Adobe patched the latest versions of Acrobat and Reader, the vulnerability is ultimately the responsibility of Microsoft Corporation. The Redmond, Washington-based software biggie, Microsoft, owned up to itself in the first week of October 2007 saying that it would patch regularly used protocol handlers like mailto: in Windows XP and Windows Server 2003. Only those users running the Internet Explorer 7 browser on Windows Server 2003 or Win XP are exposed to the PDF exploit.
Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected
» SPAMfighter News - 14-11-2007