We have discovered a new Adobe Reader/Acrobat exploit (detected since 24 June 2008 as TROJ_PIDIEF.AC) hosted on the following URL:
The vulnerability targeted by this Trojan causes Adobe Acrobat to execute arbitrary malicious code that downloads and executes a file found in:
The downloaded file is saved inside a temporary folder as Eyal.exe. Trend Micro detects this file as TROJ_DLOAD.BO. This Trojan modifies the current wallpaper of the infected user to:
Figure 4. Wallpaper modified by TROJ_DLOAD.BO.
Furthermore, TROJ_DLOAD.BO downloads screensavers that disable the Screensaver tab in the Display Properties of the compromised PC:
Figure 5. TROJ_DLOAD.BO disables the Screensaver tab normally found among the tabs under Display Properties.
TROJ_DLOAD.BO then displays random screensavers, some of which are shown below:
Figure 6. Sample screensaver 1
Figure 7. Sample screensaver 2
Figure 8. Sample screensaver 3
Figure 9. Sample screensaver 4
According to the Adobe Security Bulletin on this issue, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2. From our analysis the exploit does work on lower versions but only causes 8.1.2 to crash.
We believe that this was not the first time this specific vulnerability was exploited. So far, we have two other reports of malicious PDFs that behave in somewhat the same manner as the exploit discussed here. They are TROJ_PIDIEF.NN (detected since 07 June 2008) and TROJ_PIDIEF.AE (detected since 24 June 2008).
As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads. It thus becomes all the more important to employ a protection suite that cuts off infection at various points of the attack.
In this case, Trend Micro Smart Protection Network already blocks the malicious URLs and detects the file taking advantage of the critical vulnerability. Users are highly encouraged to update their scan engines and to immediately update their software once patches are available from the vendor.