PDF files under attack
Just after Adobe patches Acrobat, exploits target vulnerable systems; one such exploit traced to Russian Business Network.
On Monday, Adobe released a patch for versions 8.1 and earlier of its Acrobat and Acrobat Reader. This patch affects Windows XP SP2 with IE7 and Adobe Reader 7 through 8.1 and addresses the flaws cited in CVE-2007-5020. If exploited, a criminal hacker could launch malicious code on an affected system.
Security researcher Petko D. Petkov first blogged about the vulnerablity in September and predicted that shortly after the patch's release there would be a flood of proof-of-concept exploits on the Internet. He was right. Because of the extremely high risk, Adobe is encouraging everyone to install the patch and update to Acrobat and Acrobat Reader version 8.1.1.
One of the exploits has been traced to the Russian Business Network (RBN). According to iSight Partners, the exploit installs two rootkit files from the UrSnif family. "Servers (126.96.36.199xx and 188.8.131.52xx) used in the attack have a history of malicious abuse including VML UrSnif attacks, animated cursor exploitation (ANI), and CoolWebSearch installations," says Ken Dunham of iSight Partners.
Dunham adds that the RBN attack arrives through e-mails with the subject of "STATEMET indigene" and attachments "YOUR_BILL.PDF" and "INVOICE.PDF".