A new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.
SophosLabs are currently seeing reports of a low-level attack, spamming out malicious PDF attachments. Sophos products detect the attack as Mal/PDFEx-J.
The dangerous attached files use filenames of the form DD-MM-YYYY-NN.pdf (in other words, a date with a two digit number attached).
The emails typically look like this:
Hello, [recipient email]
It was scanned and sent to you using Xerox WorkCentre Pro. Please open the attached document.
Sent by: Guest Number of Images: 1 Attachment File Type: PDF. WorkCentre Pro Location: Machine location not set
I took a look at one sample of this family of malware (sha1:ef175336502a0216b4d0830944bc36e8155e0475) in order to see what would happen if I opened it with different versions of Adobe Reader.
When opened by Adobe Reader 8, the PDF displayed nothing, but does attempts to download and run malicious code from a Colombian TLD.
However, when I opened the same file with Adobe Reader X no attack occurs and an error message is displayed:
Other variants (also detected as Troj/PDFJs-QB) link download and run a fake anti-virus attack that Sophos intercepts as Mal/FakeAV-EA.
The malicious code is stored within the Producer tag :
and accessed via the this.producer
var qweval=5;
for(var i in this) {
if (i.indexOf('qwe') != -1) {
jbka=this[i.replace('qw','')];
}
}
jbka('cck=this.producer');
xswi=jbka(cck.substr(0,19));
...
It appears that an update introduced in Adobe Reader X has broken a fundamental part of this threat. Well done Adobe!
For this reason, I would urge users and system administrators responsible for protecting firms to consider updating to Adobe Reader X as soon as possible.
Last year, my colleague Chet Wisniewski interviewed Adobe security chief Brad Arkin about all matters Adobe, including the then-upcoming Reader X. Take a listen below if you want to hear more about how Adobe is tackling security issues with its products.
(23 August 2010, duration 24:36 minutes, size 11.3MBytes)
Malicious Spam Campaign Preys on Japanese Disaster There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, ...
Misuse of Google Groups for Malicious Spam Campaign CA ISBU recently received spam emails that abuse the free service of Google Group, a service from Google that supports discussion groups, including many Usenet newsgroups, based on common interests. M...
Malicious Spam on the increase again Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o...
Adobe updates Reader and Acrobat A little earlier as announced, Adobe released updated versions of Adobe Acrobat and Reader. These programs were vulnerable to the Flash Player zero-day-vulnerability as well, which was fixed last week...
Facebook Events, Credits, and Passwords Being Used for Attacks Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to repl...
New Zero-Day Attack in Adobe Products (CVE-2011-0611) Last month, Adobe had released a security advisory and a product update about a critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat that...
Zero-Day Vulnerability in Adobe Flash Player, Reader and Acrobat Adobe released a security advisory in which it warns from a zero-day vulnerability within current version of Adobe Flash Player, Reader and Acrobat. Affected are Flash Player 10.2.153.1 and earlier ve...
Download Adobe Reader 10 Alternative scam MX Lab reported earlier on regarding a malicious spam campaign regarding an offer to download and buy PDF Reader/Writer for Windows and Mac in the articles Malicious spam campaign regarding Adobe Ac...
Beware Facebook "Timeline" scams http://t.co/W5EW0cVv 5 months ago
Nigerian government (unknowingly) hosts phishing website http://t.co/uQd42ENw 5 months ago
PCMag Awards McAfee All Access its Editors’ Choice: SANTA CLARA, Calif.--(BUSINESS WIRE)--McAfee today announced... http://t.co/FakV7Vd8 5 months ago
RT @mikko: I hadn't noticed Google Maps has added 3D models of buildings. Here's a (very accurate) view of F-Secure HQ in Helsinki http://t.co/IKfAZlak 5 months ago
North Koreans aren't known for their online presence. But others may be lured into clicking Kim Jong-Il 'videos' too http://t.co/yQOon6YT 5 months ago
How to Protect Your Professional Reputation on Facebook Timeline http://t.co/I4bcR2VN 5 months ago
This is pretty impressive from @Softpedia: Facebook scans 2 trillion link clicks and blocks 220 million posts each day http://t.co/vKsn9gNl 5 months ago
Need for integrated approach to security in industrial control systems - http://t.co/tPBCNOow with @PikeResearch 5 months ago
Some free-based music we play at work http://t.co/xu5agZfc 5 months ago
Japan’s cyber defense weapon: a virus. It includes quotes by @Luis_Corrons via @InfosecurityMag 5 months ago
A new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.
