I received a tip this week from one of our senior support representatives about a crafty new bit of PDF malware. He had been working with SophosLabs on an analysis request from a customer and ran into some clever and insidious behavior on behalf of the criminals behind this attack.
The initial URL directs you to http://CENSORED/kt/ck_fuh/w###_.pdf. This PDF is unlike many other malicious PDFs in that it detects the version of Adobe Reader/Acrobat you are using and directs you to a payload that can take advantage of your specific unpatched vulnerabilities. It targets CVE-2008-2992, CVE-2009-0927, CVE-2009-4324 and CVE-2007-5659, which are present in Reader and Acrobat versions 9.0.x, 8.1.2, and 7.1.0 and below.
The initial poisoned PDF determines your Acrobat version and uses that to serve up an appropriate PDF document to exploit you. If you use a browser to go to the URL the PDF attempts to load, it simply redirects you to Google. But when you use Adobe Reader or Acrobat, you get a malicious document that proceeds to infect Windows PCs.
Fortunately, it appears that anyone who has bothered to update their Reader or Acrobat since February of 2009 will not be affected by this attack. As is all too common, though, many computers are running plenty of unpatched plugins.
Sophos detects the payload as Troj/FakeAV-BKB. This variant of FakeAV disables Internet Explorer’s phishing filter as well as marking EXEs as low risk and turning off signature verification on executables. For unknown reasons it also turns off any proxies that might be configured, implying this malware is targeting home users.
Sophos customers who are using the Sophos Web Appliance or Sophos Anti-Virus or who have HIPS enabled in block mode are all protected against this attack. Keeping your Adobe products up to date isn’t exactly new advice, but I felt it was worth emphasizing, considering the fact that our adversaries are using methods that customize malware to take advantage of any weakness we may exhibit. They are also becoming more adept at disguising their intentions, which makes troubleshooting that much harder.
Creative commons image courtesy of Stefan’s Flickr photostream.