Installs file damaging virus

Jul 2, 2010 07:22 GMT  ·  By

Security researchers from Sophos warn of an ongoing spam campaign that tricks users into opening a malicious PDF attachment by claiming they've made several long distance phone calls. The rogue document is rigged to exploit an Adobe Reader vulnerability and download the Sality virus.

"Hey man... Remember all those long distance phone calls we made. Well I got my telephone bill and WOW. Please help me and look at the bill see which calls where yours ok…" the spam emails read. A malicious file called “PhoneCalls.pdf", detected by Sophos as Troj/PDFJs-II, is attached to the unsolicited messages.

The rogue PDF document contains exploit code targeting a remote code execution vulnerability identified as CVE-2010-0188. This flaw, steming from Adobe Reader's handling of TIFF images, was discovered by Microsoft researchers and was patched in an out-of-band security update that shipped in February.

According to Richard Cohen, the technical lead for malware research at SophosLabs Canada, successful exploitation leads to the unauthorized installation of a malware downloader detected as Troj/SalLoad-B. This trojan's purpose is to infect the victim computers with a version of the Sality virus.

Sality is a polymorphic virus, which adds its malicious code to all executable files on the local system, as well as network shares. This is one of the most damaging viruses still circulating in the wild, because the files it infects get corrupted beyond repair.

The Sophos security researcher advises users to keep their Adobe Reader installations up to date in order to avoid falling victims to attacks that employ malicious PDF documents. Adobe has released critical security updates for Adobe Reader and Acrobat just a few days ago and if you haven't applied them yet, you are strongly encouraged to do so.

Of course, considering the many times Adobe Reader vulnerabilities were exploited in the wild without a patch being available, having the latest version of the program installed does not ensure complete protection against such attacks. Because of this, users should rely on other layers of protection, like a capable antivirus program with a proven ability to block zero-day threats.

You can follow the editor on Twitter @lconstantin