Has Elvis Left the Building?

I know people are getting sick of malware, attacks, and blogs associated with recent celebrities’ deaths, especially over the past week. But, here we go again. Even a week after Michael Jackson's death was announced, some people refuse to accept that he is gone. Well, after 32 years, even some fanatic followers believe Elvis Presley is still alive.

Security Response has found a suspiciously titled PDF file named “Elvis_Presley_is_alive!!!.pdf.” Maybe Elvis really is still alive, but this particular Elvis has hellhounds with him in the form of exploit code and malware.

When the malicious PDF file is opened, users won’t see any pictures or articles on the aging “King of Rock 'n' Roll,” but instead the file tries to exploit three separate PDF vulnerabilities:

• Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)

• Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035)

• Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)

Upon a successful exploit attempt a malicious file (load.exe) is downloaded. We detect the file as Infostealer.Bancos. The malicious PDF file is detected as Trojan.Pidief.C. If exploit attempts fail, the user will see the following PDF page:

Well, ladies and gentlemen, and good boys and girls out there, Elvis has left the building!