Hacker Criminals Find An Exploit In a Fix

Last month, InternetNews.com reported that a white hat programmer had discovered a particularly nasty exploit in Adobe’s PDF format, and that Adobe was in the process of fixing it.

Adobe issued a patch this past week and the first thing Russian criminals did was examine it, extract the problem it fixes, and have now unleashed a flood of PDF spam with an exploit in it that will install rootkits and Trojans on your computer.

According to a posting on Symantec’s Security Response blog, the spam contains subject lines like “invoice,” “statement” or “bill.” The attached PDF file will have names like INVOICE.pdf, YOUR_BILL.pdf, BILL.pdf and STATEMET.pdf.

If you try to open these files with an unpatched Acrobat Reader or Internet Explorer 7, the application will crash, your firewall is disabled and a pair of rootkits are installed on your computer. The malicious code then installs Trojans to steal financial information, like bank account information.

Adobe fixed the flaw Monday and released Acrobat Reader 8.1.1, and the company is working to fix the 7.0.x version as well. But the exploit is actually in Internet Explorer 7, it’s just that Reader didn’t properly sanitize how URLs are passed from the Internet to the Windows ShellExecute function. The patch now checks to make sure the link being passed doesn’t contain any dangerous code.

Only computers running Internet Explorer 7 on Windows XP or Windows Server 2003 are vulnerable to the PDF exploit. IE 6, Firefox and older Windows operating systems are not at risk. Microsoft’s security team has said it is working on a fix, and for now advises caution when it comes to unknown files.

Even though Adobe has released a patch, it’s not likely to be widely spread immediately. “A lot of people are not going to update their Adobe products immediately. People have gotten good with updating their antivirus and Microsoft products but they don’t think to do it to their apps like Acrobat,” said Ken Dunham, director of malicious code research at iDefense.

Dunhan said the exploit emerged in the wild of the Internet within a day of Adobe issuing its patch and they are counting on considerable lag between the release of the patch and individuals updating their computers. “Because it’s so easy and so effective, we’re going to see this for months to come,” he said.

However, Dmitri Alperovitch, principal research scientist for Secure Computing, said there may be a silver lining to the earlier PDF spam outbreak this past summer.

“With all the PDF spam we’ve seen over the summer, I would hope people know by this point that PDF can be malicious and they be careful about opening them” particularly from unknown parties, he told InternetNews.com.

Hopefully he’s right, because Secure Computing’s Trusted Source security service, which monitors e-mail, reports that 3.5 percent of all e-mail volume is carrying PDF spam with this virus.

The real danger is that the exploit is in Windows. For now, the bad guys are using PDF as a method for exploiting it. But they could easily use instant messenger programs, said Alperovitch.

What this means is everybody has to be smart about dealing with the problem, said Dunham. “Yes, Microsoft has responsibility here, yes, Adobe has responsibility and yes, you the consumer has responsibility. I think if everybody does their part we’ll have a safer Internet,” he said.

News Around the Web