Malicious PDFs exploit zero-day vulnerability and Adobe Reader
Small number of targeted attacks keeps the threat level low for the time being
- By William Jackson
- Feb 20, 2009
Malicious code has been found hidden in portable document format (PDF) files that exploits a previously unknown buffer overflow vulnerability in several versions of the Adobe Reader and Acrobat, researchers at Symantec Corp. have reported.
Symantec received samples of the malware Feb. 12, and Adobe was alerted when the vulnerability was identified, said Kevin Haley, director of Symantec Security Response. Adobe has given the issue a critical severity rating, but the security company has given it a low threat level because few attacks have been identified in the wild.
“Given the small number of attacks we are seeing, they are targeted attacks,” Haley said. The attacks have come as infected PDF files in e-mail attachments mailed to high-level officials in government agencies and large corporations. The malicious payload being downloaded can monitor desktop activity, log keystrokes and allow remote access to the compromised machine.
“The first attack we saw was in Japan,” Haley said. A very few have been found in the United States so far, and they also have been seen in China, Taiwan and the United Kingdom. “It’s not widespread. We don’t want to overhype it.”
Symantec has released antivirus signatures that identify the exploit code as Trojan.Pidief.E. Adobe said it expects to release updates for version 9 of Adobe Reader and Acrobat by March 11, with updates for version 8 to follow soon after, and version 7 bringing up the rear.
“In the meantime, Adobe is in contact with antivirus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers,” Adobe said on its online security bulletin. “A security bulletin will be published on http://www.adobe.com/support/security as soon as product updates are available.”
Because attacks so far have been targeted, there are no common e-mail subject lines or file names to look out for. The malicious PDF installs a backdoor Trojan on the compromised computer, which downloads an open-source toolkit known as GHOST that contains programs such as a “screen-scraper” to view the victim’s desktop and a keystroke logger. The goal appears to be to gather sensitive information from executives' computers.
Neither the source of the exploit nor the servers it uses have been discovered, Haley said.
“It’s hard to say where the attacks come from,” he said. “It is very difficult to trace these things back.”
William Jackson is a Maryland-based freelance writer.