04 March 2009
Spammers and Harvesters Find New Ways to Exploit Flaw
BitDefender� has analyzed the uses of the latest Adobe PDF exploit, first discovered on November 4, 2008.
BitDefender�s analysis has shown that the main threats to a user that downloads the e-threats from a malicious PDF include malware which affect the user as follows:
1. Backdoor.Poisonivy.GK which enables the attacker to remotely connect to the infected computer and execute unauthorized commands. It also monitors and logs all the applications and application versions which the victim uses.
2. Trojan.Spammer.Tedroo.BA which transforms an infected machine into a spamming computer.
3. Trojan.Spy.Goldun.NEP which monitors Internet Explorer windows and steals user's authentication for e-gold.
In order to stay safe from such privacy invasions, users are advised to update their security solution as well as install all Adobe security updates when they are provided.
Since Adobe's security update release, it is widely known that Adobe Reader 8 and Adobe Acrobat 8 (versions earlier then 8.1.3) were prone to multiple denial of service and code execution exploits. This vital information was also known by spammers and information harvesters.
On November 6, two days after Adobe�s public release, exploitation code for the �util.printf()�
One day later, the first Trojan was detected in the wild, received via email spam or maliciously crafted websites. Detected by BitDefender as Exploit.PDF.A, the JavaScript code inside the PDF was trying to download other malware from http://adxdnet.n[removed]un.php after successful exploitation. The shell code was encoded in plain ASCII characters and was executed 5 seconds after the document was opened.
Further variations of this malicious PDF followed in subsequent months, evolving the exploitation code and changing the payload. More recent versions have been found to have encrypted code. Also, an exploit for the function �Collab.collectEmailInfo()� was added to increase infection success rates.
MEDIA RELATIONS
[email protected]INDUSTRY ANALYST RELATIONS
[email protected]INVESTOR RELATIONS
[email protected]