Tweet

When I read this blog entry a few days ago, the first question that entered my head was, “Is this another targeted attack?”. I took a look at the .PDF discussed in the entry and it appeared to be a document addressed to employees of a certain defense contractor. Trend Micro products detect this malicious .PDF as TROJ_PIDIEF.EGG. Below is a screenshot of the survey.

It appears to me that cybercriminals are specifically targeting the employees of this defense contractor in order to obtain information about the company and possibly its clients as well. I also learned that their customers include many high-profile federal government agencies.

This .PDF exploit technique is similar to other commonly-used exploits. It contains a malicious JavaScript which executes a shellcode that decrypts and installs an embedded binary in the PDF. Below is the embedded binary, which is detected by Trend Micro as BKDR_SYKIPOT.B.

Users who seldom check the running processes in their computers probably won’t notice the backdoor pretty.exe in the background. It doesn’t exhibit any destructive behavior, but if the backdoor connection is successful, a remote user could gain control over the infected system and cause a lot more damage including downloading more malicious files and a system reboot, to name a few.

Trend Micro protects its customers from this attack via the Trend Micro™ Smart Protection Network™ infrastructure by blocking all related files and URLs.

Threat Discovery Appliance (TDA) is also able to detect traffic related to the malicious sites through TDA Rule 18 NCCP – 1.11525.00, while Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in provides protection through the following rules:

• 1004871 – Adobe Acrobat Reader U3D Component Memory Corruption Vulnerability (CVE-2011-2462)
• 1004873 – Adobe Acrobat Reader U3D Component Memory Corruption (CVE-2011-2462)

Users can remain informed by taking a look at the Adobe security advisories page for more information on this zero-day vulnerability.