Russians behind attack PDFs, security researcher says

An infamous hacker gang is sending malicious PDF docs, stealing financial data

A notorious Russian hacker gang is responsible for ongoing attacks using malicious PDF documents, a researcher said Wednesday.

Users can thank the Russian Business Network (RBN), a well-known collective of cybercriminals, for the malware-armed PDF attachments that began appearing in in-boxes Tuesday, said Ken Dunham, director of response for iSight Partners. If the rigged PDFs succeed in infecting the target Windows system, the attack code installs a pair of rootkit files that "sniff and steal financial and other valuable data," said Dunham via e-mail.

The rogue PDF documents are attached to spammed e-mail and arrive with filenames such as BILL.pdf, YOUR_BILL.pdf, INVOICE.pdf or STATEMET.pdt, said Symantec in a separate advisory Tuesday. They exploit the "mailto:" protocol vulnerability disclosed more than a month ago by U.K.-based researcher Petko Petkov.

When recipients open the attacking PDF, it launches a Trojan horse dubbed "Pidief.a" that knocks out the Windows firewall and then downloads another piece of malware to the compromised computer. That second piece of attack code is a dedicated downloader that, in turn, retrieves the two rootkit files from a pair of RBN-controlled servers and drops them onto the hacked PC.

According to Dunham, the RBN servers and the rootkit files are familiar to researchers. "[They] are the same as those used in zero-day Vector Markup Language (VML) attacks from September 2006," he said. The VML vulnerability, disclosed early that month, was so aggressively exploited that a group of security professionals issued an unsanctioned patch, prompting Microsoft to release one of its rare out-of-cycle fixes in late September.

Adobe Systems fixed the flaw Monday and released updated 8.1.1. editions of both Reader and Acrobat that plug the hole. Users of older versions of the popular programs must either upgrade to 8.1.1 or apply one of the temporary work-arounds that Adobe provided to stifle attacks. On Monday, Adobe did say that it would update Adobe Reader 7.0.9 and Acrobat 7.0.9 "at a later date," but it did not set a definitive timeline.

Although Adobe patched the newest versions of Reader and Acrobat, the vulnerability is ultimately Microsoft 's responsibility. The software vendor owned up to that two weeks ago, saying that it would patch common protocol handlers such as "mailto:" in Windows XP and Windows Server 2003.

Only users running the Internet Explorer 7 browser on Windows XP or Windows Server 2003 are vulnerable to the PDF exploit.

Adobe's security bulletin includes links to the Adobe Reader and Acrobat updates.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?