NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0326 Russians Believed Behind Latest PDF Attack:
The director of response for iSight Partners said a notorious Russian hacker gang
is responsible for ongoing attacks using malicious PDF documents. He said users can
thank the Russian Business Network (RBN), a well-known collective of cybercriminals,
for the malware-armed PDF attachments that began appearing in in-boxes yesterday. If
the rigged PDFs succeed in infecting the target Windows system, the attack code installs
a pair of rootkit files that sniff and steal financial and other valuable data. The
rogue PDF documents are attached to spammed email and arrive with filenames such as
BILL.pdf, YOUR_BILL.pdf, INVOICE.pdf, or STATEMET.pdt, said Symantec Corporation in a
separate advisory. They exploit the "mailto:" protocol vulnerability disclosed more
than a month ago by a UK-based researcher. When recipients open the attacking PDF, it
launches a Trojan horse dubbed "Pidief.a" that knocks out the Windows firewall and then
downloads another piece of malware to the compromised computer. That second piece of
attack code is a dedicated downloader that, in turn, retrieves the two rootkit files
from a pair of RBN-controlled servers and drops them onto the hacked PC. Adobe Systems
fixed the flaw Monday and released updated 8.1.1 editions of both Reader and Acrobat
that plug the hole. Users of older version of the popular programs must either upgrade
to 8.1.1 or apply one of the temporary work-arounds that Adboe provided to stifle attacks.
(ComputerWorld 24OCT07)