Some months ago I reported on a cross site scripting vulnerability relating to PDF filesand browser handling of them. As it turned out, the vulnerability wasnot used in the wild much at all. Fast forward to October 2007, wherewe now have a new Adobe PDF vulnerability on our hands. First disclosedon September 20, 2007 by “pdp” on the Gnucitizen Web site, it wassubsequently patched by Adobe yesterday.
One day later, we have discovered a new Trojan named Trojan.Pidief.Athat actually exploits this vulnerability to compromise an unpatchedcomputer. So far we have seen a fair number of emails containing thisnew Trojan in the wild. It is likely that Trojan.Pidief.A has beenspammed out in targeted attacks on specific business organizations.
The Trojan will most likely arrive through email with a subject suchas "invoice", "statement" or "bill" of some description, and justcontaining the .pdf file. So far we have seen the following file namesused:
- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf
The emails are using the following subject lines (note the misspellings):
- INVOICE alacrity
- INVOICE depredate
If the .pdf file is opened and the vulnerability exploited, it willrun code that will download an executable named ldr.exe. Thisdownloaded file is already detected by Symantec as Downloader.
Symantec antivirus users with definitions sets of October 23, 2007revision 008 or greater are protected from this threat. We recommendedthat users update their antivirus product's definitions and their AdobeReader or Acrobat software by applying the
relevant vendor patch. Finally, treat any PDF documents with extreme caution.