NEWS FROM THE LAB - Tuesday, June 8, 2010

Exploit.PDF-Dropper.Gen Posted by Sean @ 09:02 GMT

The lab is currently seeing a spam run pushing a PDF exploit.

The emails look like this:

   From: random addresses
   To: random recipients
   Subject: New Resume
   Please review my CV, Thank You!
   Attachment: resume.pdf

This PDF attachment is not utilizing the critical Flash vulnerability that we wrote about yesterday. Instead, it's attempting to use the PDF /launch feature.

The timing of this spam run seems a bit odd as it isn't using the current vulnerability, but perhaps the gang which uses this particular tactic knows that there's about to be a big push to update Adobe Reader. Current versions of Reader include the Trust Manager feature, and so this gang's window of opportunity will be narrowing soon.

We already detected this threat as Exploit.PDF-Dropper.Gen with our Internet Security 2010.

The PDF's MD5 is cff871a36828866de1f42574be016bb8. If allowed to run, the exploit will drop an alureon/dnschanger trojan.

Our telemetry indicates that several thousand customers have already been exposed to the exploit. We have no hits on the payload so we know that our generic detection is blocking the threat.

Hydra detection for the attachment/payload was published with database version 2010-06-08_03.

Updated to add: Here's a screenshot of the PDF attachment. The PDF is based on a resume/CV pulled from the Internet, and the /launch prompt is rather noisy.