PDF and Java malware target unpatched PCs... again

Filed Under: Java, Malware, PDF, Vulnerability

Hidden Stormtroopers

I received a tip this week from one of our senior support representatives about a crafty new bit of PDF malware. He had been working with SophosLabs on an analysis request from a customer and ran into some clever and insidious behavior on behalf of the criminals behind this attack.

The initial URL directs you to http://CENSORED/kt/ck_fuh/w###_.pdf. This PDF is unlike many other malicious PDFs in that it detects the version of Adobe Reader/Acrobat you are using and directs you to a payload that can take advantage of your specific unpatched vulnerabilities. It targets CVE-2008-2992, CVE-2009-0927, CVE-2009-4324 and CVE-2007-5659, which are present in Reader and Acrobat versions 9.0.x, 8.1.2, and 7.1.0 and below.

The initial poisoned PDF determines your Acrobat version and uses that to serve up an appropriate PDF document to exploit you. If you use a browser to go to the URL the PDF attempts to load, it simply redirects you to Google. But when you use Adobe Reader or Acrobat, you get a malicious document that proceeds to infect Windows PCs.

Fortunately, it appears that anyone who has bothered to update their Reader or Acrobat since February of 2009 will not be affected by this attack. As is all too common, though, many computers are running plenty of unpatched plugins.

Sophos detects the payload as Troj/FakeAV-BKB. This variant of FakeAV disables Internet Explorer's phishing filter as well as marking EXEs as low risk and turning off signature verification on executables. For unknown reasons it also turns off any proxies that might be configured, implying this malware is targeting home users.

Sophos customers who are using the Sophos Web Appliance or Sophos Anti-Virus or who have HIPS enabled in block mode are all protected against this attack. Keeping your Adobe products up to date isn't exactly new advice, but I felt it was worth emphasizing, considering the fact that our adversaries are using methods that customize malware to take advantage of any weakness we may exhibit. They are also becoming more adept at disguising their intentions, which makes troubleshooting that much harder.

Creative commons image courtesy of Stefan's Flickr photostream.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.