Major malware campaign abuses unfixed PDF flaw

Message poses as e-mail reset instructions, plants worm that can spread via flash drive

Several security companies today warned of a major malware campaign that tries to dupe users into opening rigged PDFs that exploit an unpatched design flaw in the format.

Users who open the attack PDFs are infected with a variant of a Windows worm known as "Auraax" or "Emold," researchers said.

The malicious messages masquerade as mail from company system administrators and come with the subject heading of "setting for your mailbox are changed," said Mary Grace Gabriel, a research engineer with CA Inc.'s security group . A PDF attachment purportedly contains instructions on how to reset e-mail settings. "SMTP and POP3 servers for ... mailbox are changed. Please carefully read the attached instructions before updating settings," the message states.

In reality, the PDFs contain embedded malware and use the format's /Launch function to execute that malware on Windows PCs running the newest versions of the free Adobe Reader, Adobe's for-a-fee Acrobat and other PDF viewers, such as Foxit Reader.

The /Launch feature is not a security vulnerability per se, but actually a by-design function of the PDF specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how attack PDFs could use /Launch to run malware tucked into documents.

Two weeks ago, security researchers tracked a new run by the Zeus botnet that used the /Launch flaw to infect PCs.

Adobe has previously declined to answer questions on whether in-the-wild use of /Launch in rigged PDFs would prompt the company to update Reader and Acrobat, although it has said a change to the functionality might "conceivably [be made] available during one of the regularly scheduled quarterly product updates." Brad Arkin, Adobe's head of security and privacy, has acknowledged that one possible solution would be to disable the function; currently, it's turned on by default.

After analyzing the attack PDF, other researchers found that hackers are using Stevens' tactic of modifying the warning that Reader and Acrobat display. Adobe Reader, for example, displays a message telling users to open only those files they know are safe. In the same Windows dialog box, Reader displays the filename of the file about to be launched. According to IBM Internet Security Systems researchers , hackers have modified the warning to simply read, "Click the 'open' button to view this document."

Other security researchers, including those at Paris-based CERT-Lexsi , have also reported on the e-mail bearing rogue PDF attachments. CERT-Lexsi added that the malware's command-and-control server is located in Korea.

IBM researchers said the malware launched from the rigged PDF seems to be version of Auraax or Emold worm. The worm drops a rootkit onto the compromised PC, and also tries to copy itself to all removable drives, including flash drives, to spread using the "Autorun" infection tactic made popular by 2008's Conficker worm.

Staff at IDG -- which is the parent company of Computerworld -- have received the malicious messages with attached PDF documents. Those messages can pose as ones from "customersupport@ domain name .com," "support@ domain name .com," and "admin@ domain name .com," where domain name is typically the company's name.

An Adobe spokeswoman today declined to comment on the latest attacks, and said the company was still researching the /Launch functionality in Adobe Reader and Acrobat to identify "all possible use scenarios for this particular functionality to ensure we are not breaking any common workflows for our customers." Adobe's current advice remains that users configure Reader and Acrobat to stymie such attacks, she added. Adobe has posted instructions on its Web site.

IBM's security team also recommended that users disable Windows' Autorun feature for all flash drives, and pointed them toward a Microsoft support document for instructions and updates.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Knowledge Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags securitypdf bugmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?