Russian hackers apparently exploit Acrobat Reader vulnerability

The first exploits of a recently described vulnerability in Adobe Acrobat and Reader on Windows have been reported in the wild by researchers at SecureWorks.

Senior researcher Don Jackson said the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi Trojan. This Trojan is programmed to capture data entered into secure Web sites, ensuring that it will catch most financial or other transactions that can yield valuable personal and account data.

The Gozi Trojan dates to February and has been used by the Russian Business Network to steal large volumes of personal data. The latest version of it, Gozi.F, was detected by only 26 percent of the 32 largest anti-malware vendors as of Oct. 23, SecureWorks said.

The PDF exploit is the first found in the wild of a vulnerability detected in September and described as CVE-2007-5020 in the National Vulnerability Database. It can enable the execution of malicious code through a doctored PDF file.

Adobe rated this vulnerability, which affects users on Windows XP or Windows 2003 with Internet Explorer 7 installed, as critical. Exploitation requires downloading the malicious file. The company on Oct. 22 recommended that affected users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1.

SecureWorks reported that it spotted a large volume of spam containing PDF attachments on Oct. 23, the day after this advisory.

'These attachments were, in fact, the first exploits of a vulnerability in the handling of 'mailto' URLs in Adobe Acrobat 8.x ever found in the wild,' Jackson wrote.

The PDF is labeled as a bill or invoice and can be included as an attachment or represented as a PDF file icon. In either case, when opened, it downloads a first-stage downloader EXE file from the Russian Business Network hacker site by anonymous FTP and executes it. The downloader then installs the Trojan, which is used to capture and send personal data.

In addition to updating antivirus signatures, SecureWorks advises administrators to block traffic to the Russian Business Network by blocking FTP traffic to 81.95.146.130 and HTTP traffic to 81.95.147.107. And, of course, don't open attachments from untrusted sources, regardless of the format.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • man vs robot race (Zenzen/Shutterstock.com)

    Agencies see big upsides to RPA

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group