Throughout 2009 we have been reporting on the large rise in the volume of attacks that use malicious PDF samples to infect victims with malware . If anything, the past few weeks have shown an increase in such attacks. In this blog entry I will describe one such attack that I noticed this morning.
The malicious PDF used in the attack is hosted on a domain registered earlier this week, and updated yesterday.
Domain Name: SCEPICAL.COM
Created on: 11-AUG-09
Expires on: 11-AUG-10
Last Updated on: 12-AUG-09
Victims are most likely to hit this page without their knowledge, via compromised sites loading its contents silently. An iframe in the page at the root of the attack site, loads the PDF. The page contains no other content.
- CVE-2008-2992 (util.printf) – all versions > 8
- CVE-2007-5659 (Collab.collectEmailInfo) – versions < 9
- CVE-2009-0927 (Collab.getIcon) – versions < = 9.1
- CVE-2009-1493 (customDictionaryOpen) – versions >9
And the net result for victims hitting this page? A Sophos endpoint security alert for Troj/PDFJs-CI. End of story.
If the PDF where not detected, Adobe Reader is exploited, and further malware is downloaded from the attack site and executed (this is proactively detected as Mal/EncPk-IF). This in turn this downloads further malware (also Mal/EncPk-IF), prior to the machine being shutdown. I tested the attack against Adobe Reader 9.1 (fresh install) and 9.1.3 (fresh install + update) and confirmed the application was successfully exploited in each case, infecting the machine.
Once restarted, the purpose of the attack is immediately apparent.
The nagging starts, and PC AntiSpyware 2010 (detected as Mal/EncPk-IF also) is downloaded.
Once installed, a system scan is performed, alerting the user to numerous non-existent threats.
I noticed that for some of the “threats” (such as the file highlighted above), the corresponding files did exist (containing garbage).
As usual with fake AV, the user is prompted with various registration alerts.
What should users do to defend against these type of attacks? The usual: