Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.
This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.
Customers should keep their antivirus definitions up to date. Malicious PDFs using this exploit will be detected as Trojan.Pidief.E. The heuristic detection for Bloodhound.PDF.6 will also help mitigate this threat. The malicious payload is detected as Backdoor.Trojan. This back door is a popular open-source toolkit, originally from China, known as GH0ST. The GH0ST back door is modular, and some of the things attackers can use this for include viewing the desktop, recording keystrokes, and remotely accessing the compromised machine. The screenshot below shows an example of the GH0ST back door builder application: