14 DAY TRIAL // Security researchers warn that an attack making use of malicious PDF files is targeting U.S. government contractors. The files attempt to exploit a critical Adobe Reader vulnerability that was patched last week.
"The PDF file was quite convincing and it looked like it came from the Department of Defense. The document talks about a real conference to be held in Las Vegas in March," Mikko Hyppönen, chief research officer at antivirus vendor F-Secure, explains.
"It is with great pleasure that we invite Government representatives from your respective military services to the Mission Planning Users Conference (MPUC) 2010. The MPUC is an unclassified event that provides a forum for promoting information exchange, user training, and innovative product demonstrations for the Mission Planning community to include developers, users, sustainment and acquisition representatives," part of the document reads.
But hidden inside the file is a JavaScript code, which exploits the CVE-2009-4324 vulnerability. This flaw was originally disclosed back in December as a zero-day and involves the doc.media.newPlayer() function of Adobe Reader and Acrobat's Multimedia.API.
If exploitation is successful, a file called Updater.exe is dropped and executed on the system. This installs a backdoor component that can be used to control the infected computer remotely. According to F-Secure, the backdoor bypasses the local Web proxy settings and reports back to an IP address in Taiwan.
A working exploit for this vulnerability has been known since mid-December; however, several variations have been detected in the wild until now. At the beginning of the year, security researchers from SANS' Internet Storm Center announced that employees from various companies had received similarly rigged PDF files, as part of a highly sophisticated attack.
