PDF Spam is Back—Again!
Symantec detected a major spam attack using the PDF vector on July 1, 2010. The attack comprises a crafty message asking the recipient to confirm his or her phone number in a PDF file attachment disguised as a phone bill. The payload within the PDF is a Trojan that is detected by Symantec as Trojan.Pidief.I, which exploits the Adobe Acrobat and Reader CVE-2010-0188 Unspecified Remote Code Execution vulnerability in order to drop additional malware on to the compromised computer.
Sample of the Trojan.Pidief.I attack
The attack lasted three hours and accounted for approximately 6% of all spam seen during that time, and it constituted approximately 1% of all spam seen on that day. Although PDF spam isn’t new, this is the highest percentage Symantec has seen in six months. The graph below illustrates the trend in spam using PDF vectors in the past six months:
As can be noted from the above graph, this specific vector is prevalent, but every month or so the modus operandi appears to be the sending of short bursts of new variant attacks, lasting a few days, in an effort to escape detection and improve the chances of a breach. In April, a similar attack was detected; it exploited vulnerabilities in Adobe Reader and Acrobat using the same family of Trojans, Trojan.Pidief. The trap in that case was an email pretending to be from the recipient’s email authority asking the recipient to open a PDF attachment containing new email settings:
Sample of a Trojan.Pidief attack
In addition to the PDF spam attacks, malicious attacks in spam in general have been on the increase over the past few months. In June, we saw some big attacks involving the Adclicker Trojan, which tries to install malicious programs to artificially generate traffic for pay-per-click advertising campaigns. The vector for that campaign involved an HTML attachment informing the recipient of account or setup notifications.
Sample of the Trojan.Adclicker attack
Sophistication in malicious attacks is continuing to increase. The motivations and end-usage scenarios for these attacks can be varied. Symantec advises its customers and readers to use best practices (see below) when opening any email attachments and also to use up-to-date antivirus and antispam software to guard against malicious attacks.
Checklist: Protecting your business, your employees, and your customers
- Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. De-select items you do not want to receive.
- Be selective about the websites where you register your email address.
- Avoid publishing your email address on the Internet. Consider alternate options—for example, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services.
- Using directions provided by your mail administrators, report missed spam if you have an option to do so.
- Delete all spam.
- Avoid clicking on suspicious links in email or IM messages because these may be links to spoofed websites. We suggest typing Web addresses directly into the browser rather than relying upon links within your messages.
- Always be sure that your operating system is current with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection, visit http://www.symantec.com.
- Consider a reputable antispam solution to handle filtering across your entire organization, such as the Symantec Brightmail messaging security family of solutions.
- Keep up to date on recent spam trends by visiting the Symantec State of Spam site.
- Open unknown email attachments. These attachments could infect your computer.
- Reply to spam. Typically, the sender’s email address is forged, and replying will likely only result in more spam.
- Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism such as a verified telephone number, or a known Internet address that you type into a new browser window. Do not click or cut and paste from a link in the message.
- Buy products or services from spam messages.
- Open spam messages.
- Forward any virus warnings that you receive through email. These are often hoaxes.