SOURCE: BitDefender

BitDefender

March 02, 2009 11:18 ET

BitDefender Labs Identifies New Adobe PDF Exploit

Malware Provides Spammers and Harvesters With New Ways to Exploit Flaw

BUCHAREST, ROMANIA--(Marketwire - March 2, 2009) - BitDefender®, an award-winning provider of antivirus software and data security solutions and a leading anti-malware innovator, has identified the primary threats to users resulting from the latest Adobe PDF exploit, first discovered on November 4, 2008.

BitDefender's analysis has shown that the main threats from the malicious PDF include malware which affect the user are:

1. Backdoor.Poisonivy.GK (http://www.bitdefender.com/VIRUS-1000339-en--Backdoor.Poisonivy.CV.html), which enables the attacker to remotely connect to the infected computer and execute unauthorized commands. It also monitors and logs every application and application version the victim uses.

2. Trojan.Spammer.Tedroo.BA (http://www.bitdefender.com/VIRUS-1000360-en--Trojan.Spammer.Tedroo.html), which transforms an infected machine into a spamming computer.

3. Trojan.Spy.Goldun.NEP, which monitors Internet Explorer windows and steals user's authentication for e-gold.

In order to stay safe from such privacy invasions, users are advised to update their security solution as well as install all Adobe security updates when they are provided.

Since Adobe's security update release, it is widely known that Adobe Reader 8 and Adobe Acrobat 8 (versions earlier then 8.1.3) were prone to multiple denial of service and code execution exploits. On November 6, two days after Adobe's public release, exploitation code for the "util.printf()" function (CVE-2008-2992) was released.

On November 7, the first Trojan was detected in the wild, received via email spam or maliciously crafted websites. Detected by BitDefender as Exploit.PDF.A, the JavaScript code inside the PDF was attempting to download other malware from http://adxdnet.n[removed]un.php after successful exploitation. The shell code was encoded in plain ASCII characters and was executed five seconds after the document was opened.

Further variations of this malicious PDF followed in subsequent months, evolving the exploitation code and changing the payload. More recent versions have been found to have encrypted code. Also, an exploit for the function "Collab.collectEmailInfo()" was added to increase infection success rates.

About BitDefender®

BitDefender is the creator of one of the industry's fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention. Every day, BitDefender protects tens of millions of home and corporate users across the globe -- giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company's security solutions press room.

Additionally, BitDefender's www.malwarecity.com provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.