Russian hackers apparently exploit Acrobat Reader vulnerability
- By William Jackson
- Oct 26, 2007
The first exploits of a recently described vulnerability in Adobe Acrobat and Reader on Windows have been reported in the wild by researchers at SecureWorks.
Senior researcher Don Jackson said the exploit is being distributed as a PDF file in spam and downloads a variant of the Gozi Trojan. This Trojan is programmed to capture data entered into secure Web sites, ensuring that it will catch most financial or other transactions that can yield valuable personal and account data.
The Gozi Trojan dates to February and has been used by the Russian Business Network to steal large volumes of personal data. The latest version of it, Gozi.F, was detected by only 26 percent of the 32 largest anti-malware vendors as of Oct. 23, SecureWorks said.
The PDF exploit is the first found in the wild of a vulnerability detected in September and described as CVE-2007-5020
in the National Vulnerability Database. It can enable the execution of malicious code through a doctored PDF file.
Adobe rated this vulnerability, which affects users on Windows XP or Windows 2003 with Internet Explorer 7 installed, as critical. Exploitation requires downloading the malicious file. The company on Oct. 22 recommended that affected users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1.
SecureWorks reported that it spotted a large volume of spam containing PDF attachments on Oct. 23, the day after this advisory.
'These attachments were, in fact, the first exploits of a vulnerability in the handling of 'mailto' URLs in Adobe Acrobat 8.x ever found in the wild,' Jackson wrote.
The PDF is labeled as a bill or invoice and can be included as an attachment or represented as a PDF file icon. In either case, when opened, it downloads a first-stage downloader EXE file from the Russian Business Network hacker site by anonymous FTP and executes it. The downloader then installs the Trojan, which is used to capture and send personal data.
In addition to updating antivirus signatures, SecureWorks advises administrators to block traffic to the Russian Business Network by blocking FTP traffic to 188.8.131.52 and HTTP traffic to 184.108.40.206. And, of course, don't open attachments from untrusted sources, regardless of the format.
William Jackson is a Maryland-based freelance writer.