A new round of PDF exploits are being pushed by websites pretending to be the US Federal Reserve. Several spammed email messages were intercepted starting last week advertising these fake Federal Reserve pages.
Figure 1. Sample email message.
This spam run is still continuing as of this writing, and it is now advertising more bogus sites. So far, the said malicious sites are using following domains:
- 1federalreservebank.com
- 1federalreservebank.net
- connection-secure.net
- fdicbanks.net
- fdicorp.org
- fdic-secure.org
- fed-reserve.com
- fed-reserve.net
- federalreserveus.com
- federalreserveus.net
- fedreservebank.net
- fedreservesystem.com
- fedreservesystem.net
- tdbanks.net
- treasurydepartment.net
- us-bankconnect.net
- us-bankers.com
- us-bankers.net
- us-securebanking.net
- usbanker.org
- usbanksecurities.net
These domains resolve to a single IP address with a relatively short TTL (time to live) of 3600 seconds. What’s peculiar with the above domains is that when one is using OpenDNS and browses to the prepared site, OpenDNS will report that the site is not loading. However the DNS requests over other ISP’s nameservers loaded the bogus Fed pages.
Figure 1.Bogus US Federal Reserve website.
The fraudulent site redirects to a porn search page a few seconds after loading, and a PDF exploit is downloaded into the system. This particular script hosting the exploit has some anti-detection routines which attempts to prevent its contents, particularly the PDF JavaScript, from being seen by nosy researchers.
Though with a little fiddling with Adobe Acrobat Pro, I was able to disable its “protection” and I readily saw the PDF JavaScript.
The PDF JavaScript is designed with downloaders of downloaders that come from different internet locations.The final component (at the end of downloader chain) the trojan infects and automatically restarts the victim PC.
After restart, the infected machine lounches out regularly malformed HTTPS transactions (with an interval of 6.5 seconds) to a certain server. The transaction can be considered malformed because the SSL handshake, used by normal SSL websites, is missing in this particular HTTPS traffic. Even though, the traffic is somehow still encrypted. This type of HTTPS bot has been spotted a few months earlier.
The regularity of the HTTPS traffic suggests that this is a botnet having a Web-based C&C. This is certainly an improvement over the Web-based bots of old, where traffic are seen in plaintext. The botherders have actually made it a point to hide the network actions of their bots from IDSes (intrusion detection systems) by encrypting their network traffic. Makes one wonder what else the bad guys have in store for us.
Trend Micro Smart Protection Network already blocks the spammed message as well as the malicious URLs involved in this and previous PDF exploit threats.
Updates as of November 17, 2008 1AM PST: Trend Micro detects the PDF exploit as TROJ_PIDIEF.DN. It connects to a remote website to download another malicious file detected as TROJ_INJECT.NI.
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
