Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43435
  • Total Topics: 16529
  • Online today: 3056
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 3
Guests: 2965
Total: 2968









Author Topic: PDF drops a trojan: Exploit.PDF-Dropper.Gen  (Read 3936 times)

0 Members and 1 Guest are viewing this topic.

F3RL

  • SCF Advanced Member
  • ***
  • Posts: 171
  • KARMA: 18
  • Gender: Male
PDF drops a trojan: Exploit.PDF-Dropper.Gen
« on: 15. June 2010., 14:26:09 »
There has been a spam run pushing a PDF exploit through emails.

The emails look like this:

   From: random addresses
   To: random recipients
   Subject: New Resume
 
   Please review my CV, Thank You!
 
   Attachment: resume.pdf



Enlarged screenshot: http://i46.tinypic.com/2h6c39u.png

This PDF attachment is not utilizing the critical Flash vulnerability that we wrote about yesterday. Instead, it's attempting to use the PDF /launch feature. It attempts to launch CMD.exe and execute a code there.

The timing of this spam run seems a bit odd as it isn't using the current vulnerability, but perhaps the gang which uses this particular tactic knows that there's about to be a big push to update Adobe Reader. Current versions of Reader include the Trust Manager feature, and so this gang's window of opportunity will be narrowing soon.

We already detected this threat as Exploit.PDF-Dropper.Gen with our Internet Security 2010.

The PDF's MD5 is cff871a36828866de1f42574be016bb8. If allowed to run, the exploit will drop an alureon/dnschanger trojan.

Our telemetry indicates that several thousand customers have already been exposed to the exploit. We have no hits on the payload so we know that our generic detection is blocking the threat.

Hydra detection for the attachment/payload was published with database version 2010-06-08_03.

Updated to add: Here's a screenshot of the PDF attachment. The PDF is based on a resume/CV pulled from the Internet, and the /launch prompt is rather noisy.

Story from: F-Seucre Weblog http://www.f-secure.com/weblog/
well? understand ma bad English.

Samker's Computer Forum - SCforum.info

PDF drops a trojan: Exploit.PDF-Dropper.Gen
« on: 15. June 2010., 14:26:09 »

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: PDF drops a trojan: Exploit.PDF-Dropper.Gen
« Reply #1 on: 15. June 2010., 15:25:46 »
Thanks for info's Eric.  :thumbsup:

Samker's Computer Forum - SCforum.info

Re: PDF drops a trojan: Exploit.PDF-Dropper.Gen
« Reply #1 on: 15. June 2010., 15:25:46 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023