NEWS FROM THE LAB - Tuesday, March 9, 2010

PDF Based Targeted Attacks are Increasing Posted by Sean @ 15:30 GMT

Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.

That update should now be applied if you haven't already done so.


Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G.

It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly.

Looking through our sample management system, we see a growing number of targeted attack files.

There were 1968 files in 2008. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe.

And how about the first two months of 2010?

Well, so far the number is 895, which will more than double last year's number if the current pace continues.

The percentage targeting Adobe Reader continues to rise.

Here's a graph with a breakdown of the most common attack vectors used in targeted (espionage) attacks:

Targeted attacks 2008, 2009, 2010 (Jan/Feb)

Updated to add: A couple of readers noticed that our graph's 2009 percentages were slightly off — it's been corrected.