Forum Index
Home Forum Radio Memberlist Help Search Quick Links

It appears you have not yet registered with our community which limits what you can do & see. It's Free To register, please click here.



Forum Index » Internet » Security Alerts and vulnerabilities » When PDF's Attack... Again!
Register Calendar Gallery Mark Forums Read

Security Alerts and vulnerabilities Lets keep abreast on the latest threats by posting those findings here..

Reply
 
Thread Tools Display Modes
  #1  
Old 10-27-2007, 05:11 AM
Symantec's Avatar
Symantec Symantec is offline
Senior Member
  
Join Date: Oct 2006
Posts: 295
When PDF's Attack... Again!
When PDF's Attack... Again!
<p>Some months ago I reported on a <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/01/when_pdfs_attack.html">cross site scripting vulnerability relating to PDF files</a> and browser handling of them. As it turned out, the vulnerability was not used in the wild much at all. Fast forward to October 2007, where we now have a new Adobe PDF vulnerability on our hands. First disclosed on September 20, 2007 by “pdp” on the Gnucitizen Web site, it was subsequently patched by Adobe yesterday. </p>

<p>One day later, we have discovered a new Trojan named <a href="http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-102310-3513-99">Trojan.Pidief.A</a> that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.</p>

<p>The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:</p>

<p>- INVOICE.pdf<br />
- YOUR_BILL.pdf<br />
- BILL.pdf<br />
- STATEMET.pdf</p>

<p>The emails are using the following subject lines (note the misspellings):</p>

<p>- INVOICE alacrity <br />
- INVOICE depredate </p>

<p>If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe. This downloaded file is already detected by Symantec as <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99">Downloader</a>.</p>

<p>Symantec antivirus users with definitions sets of October 23, 2007 revision 008 or greater are protected from this threat. We recommended that users update their antivirus product's definitions and their Adobe Reader or Acrobat software by applying the <a href="http://www.adobe.com/support/security/bulletins/apsb07-18.html">relevant vendor patch</a>. Finally, treat any PDF documents with extreme caution.<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/10/when_pdfs_attack_again.html
http://www.symantec.com/enterprise/security_response/weblog/2007/10/when_pdfs_attack_again.html
Tue, 23 Oct 2007 07:45:20 -0800
Reply With Quote
Posted


Reply

  • Submit Thread to Digg Digg
  • Submit Thread to del.icio.us del.icio.us
  • Submit Thread to StumbleUpon StumbleUpon
  • Submit Thread to Google Google
    • Bookmarks

    « Previous Thread | Next Thread »
    Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
     
    Thread Tools
    Display Modes
    Linear Mode Linear Mode

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts
    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Forum Jump



    All times are GMT -5. The time now is 08:34 AM.

    Contact Us - CyberAnswers - Archive - Privacy Statement - Top

    Firefox 2