Pdf malware is being actively distributed. Our user community is seeing a slew of rigged pdf files attacking various buffer overflow vulnerabilities in the Adobe Acrobat Reader software, including the newest publicly known. Sometimes, the user is duped into downloading malicious files appearing to be Microsoft software updates. More often, they appear to be downloading silent malicious installers.

A couple of the downloaded, packed files appear to carry with them tricks that continue to evade AV file scanning with VirusTotal results at 5/36.

For example, a chunk of the standard download and execute shellcode that we are currently seeing pulls a file from hxxp://ascoprguide. net/lel / load.php?xpl=pdf, renames it as c:\\U.exe, and runs it on the victim’s system. This “U.exe” then runs and installs other adware and spyware related components.
Other downloads are installing various Rogueware packages, like the ones we presented at Virus Bulletin 2008.

Be sure to visit the Adobe site and update your Acrobat Reader software.

This entry was posted on Monday, November 10th, 2008 at 1:59 pm and is filed under Exploit, Obfuscation, Rogueware, Vulnerability. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.