Major malware campaign abuses unfixed PDF flaw
Message poses as e-mail reset instructions, plants worm that can spread via flash drive
Computerworld - Several security companies today warned of a major malware campaign that tries to dupe users into opening rigged PDFs that exploit an unpatched design flaw in the PDF format.
Users who open the attack PDFs are infected with a variant of a Windows worm known as "Auraax" or "Emold," researchers said.
The malicious messages masquerade as mail from company system administrators and come with the subject heading of "setting for your mailbox are changed," said Mary Grace Gabriel, a research engineer in CA Inc.'s security group. A PDF attachment purportedly contains instructions on how to reset e-mail settings. "SMTP and POP3 servers for ... mailbox are changed. Please carefully read the attached instructions before updating settings," the message states.
In reality, the PDFs contain embedded malware and use the format's /Launch function to execute that malware on Windows PCs running the newest versions of Adobe Systems Inc.'s Acrobat application or its free Adobe Reader, as well as other PDF viewers, such as Foxit Reader.
The /Launch feature is not a security vulnerability per se, but actually a by-design function of the PDF specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how attack PDFs could use /Launch to run malware tucked into documents.
Two weeks ago, security researchers tracked a new run by the Zeus botnet that used the /Launch flaw to infect PCs.
Adobe has previously declined to answer questions on whether in-the-wild use of /Launch in rigged PDFs would prompt the company to update Reader and Acrobat, although it has said a change to the functionality might "conceivably [be made] available during one of the regularly scheduled quarterly product updates." Brad Arkin, Adobe's head of security and privacy, has acknowledged that one possible solution would be to disable the function; currently, it's turned on by default.
After analyzing the attack PDF, other researchers found that hackers are using Stevens' tactic of modifying the warning that Reader and Acrobat display. Adobe Reader, for example, displays a message telling users to open only those files they know are safe. In the same Windows dialog box, Reader displays the name of the file about to be launched. According to IBM Internet Security Systems researchers, hackers have modified the warning to simply read, "Click the 'open' button to view this document."
Other security researchers, including those at Paris-based CERT-Lexsi, have also reported on the e-mail bearing rogue PDF attachments. CERT-Lexsi added that the malware's command-and-control server is located in Korea.
IBM researchers said the malware launched from the rigged PDFs seems to be a version of the Auraax or Emold worms. The worm drops a rootkit onto the compromised PC and tries to copy itself to all removable drives, including flash drives, to spread using the "Autorun" infection tactic made popular by 2008's Conficker worm.
Staffers at IDG -- which is Computerworld's parent company -- have received the malicious messages with attached PDF documents. Those messages can pose as ones from "customersupport@domain name.com," "support@domain name.com," and "admin@domain name.com," where domain name is typically the name of the recipient's company.
An Adobe spokeswoman today declined to comment on the latest attacks and said the company was still researching the /Launch functionality in Adobe Reader and Acrobat to identify "all possible use scenarios for this particular functionality to ensure we are not breaking any common workflows for our customers." Adobe's current advice remains that users configure Reader and Acrobat to stymie such attacks, she added. Adobe's Web site has instructions about how to do that.
IBM's security team also recommended that users disable the Windows Autorun feature for all flash drives, and it pointed users to a Microsoft support document for instructions and updates.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Accelerating the Delivery Microsoft Office 365 Many organizations use Office 365's cloud-based mail, collaboration and communication services as the dominant workload. However, as services move to the cloud, data...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts