NEWS FROM THE LAB - Monday, February 8, 2010

Watch Out for flower-show.org Posted by Mikko @ 14:54 GMT

We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535).

It looks like this:


Nice flowers.

Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.

This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.

We've seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.


Today, both of those host names resolve to, which is not in China. It's in Singapore.