Bojan Zdrnja from the Internet Storm Center (ISC) warns that he has encountered malicious PDF files
As we reported a few days ago, Adobe has released an advisory and patches for several serious flaws
detected in its Reader and Acrobat products. Five of the eight announced vulnerabilities allowed local and remote code execution, if exploited successfully. Only 8.1.2 and older versions of Adobe Reader and Acrobat were affected, but these versions are still in use on many systems, even though version 9 has been out for quite some time.
The vulnerability exploited by the malicious PDF file circulating on the Internet is identified as CVE-2008-2992
that Mr. Frizza disclosed, penetration tester and vulnerability researcher Debasis Mohanty created a PoC exploit
, which was posted on Milw0rm.
According to ISCs Bojan Zdrnja, the attackers that created the PDF files seen in the wild used Mohanty's proof of concept code, but made small changes like in the way the malicious string was being generated. As Zdrnja points out, unfortunately, this was enough to evade the detection mechanisms of anti-virus products, as none of the major 32 such products blocked or warned about the PDF file when it was scanned via the VirusTotal
Once opened, the malicious PDF files will call the legit mshta.exe Windows component in order to open remotely hosted .HTA (HTML Application) files. When executing these .HTA files, a Trojan application will be downloaded and installed on the target system. Mr. Zdrnja told The Register
that the PDF files were served through rogue advertisements (malvertizements) that appear on suspicious websites.
Even though these files are currently spreading at a slow pace, the Internet Storm Center analyst speculates that the distribution rate will increase in the future, or that more attacks will be devised by other cybercriminals. Because of this, the users of the affected versions are highly encouraged to deploy the Adobe patch (Windows
) or to upgrade to version 9
of Adobe Reader.