Tweet

Trend Micro recently came across a .PDF file sample that exploits a vulnerability that was discovered as early as mid-2009. The specially crafted .PDF file detected as TROJ_PIDIEF.SML contains malicious JavaScript in its code that uses the getAnnots() method to corrupt an affected system’s memory.

It is interesting to note that its final payload is the download of a malicious binary file that happens to be a ZBOT/ZeuS variant detected as TROJ_ZBOT.BYZ. This acts as a combination of the two most
prevalent threats today—ZBOT and PDF exploits. From phishing emails to social-networking sites, the widespread ZeuS Trojan has now been making its rounds across various attack vectors to get into users’ systems.

ZeuS has been around since 2007 and even if most antivirus companies have caught on with its stealth and polymorphic routines, this malware still shows no signs of slowing down.

Learn more about ZBOT/ZeuS by reading more about the various tactics it uses in the following blog entries:

• Keeping an Eye on EYEBOT and a Possible Bot War
• New ZBOT/Zeus Binary Comes with a Hidden Message
• ZBOT Variant Spoofs the NIC to Spam Other Government Agencies
• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again

Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.