BlueNosedDog

Several active exploits targeting a vulnerability in Adobe Reader are now in the wild. Last week, Adobe released an update for Adobe Acrobat 8 and Adobe Reader 8 and a day later, a working exploit code for the util.printf() vulnerability was released. As expected, malware authors were quick to use the exploit for their own gain.

Trend Micro Research Manager Ivan Macalintal was alerted to the discovery of malicious .PDFs that exploit the Adobe Reader vulnerability, which Trend Micro now detects as TROJ_PIDIEF.CB. Users with unpatchedAdobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads.

Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs under the VUNDO, VIRTUMON, and in some cases, also VIRUTfamilies into infected PCs.

Trend Micro strongly advises users to patch their Adobe Reader to ensure they are safe from the threats that come with this vulnerability by downloading the updates found in the Adobe Security Bulletin:

• http://www.adobe.com/support/security/bulletins/apsb08-19.html

Featured, Security

U.S. President candidate John McCain plans to impeach president elect Barack Obama, at least according to the latest post-election spam spotted today. Here’s a screenshot of the sample email message:

Figure 1. Politically-tinged spam email just keeps coming

Our researchers have seen the following subject lines containing the same text as the above:

• Barack Obama in Danger – McCain will fight for the president post
• McCain Lawmakers Impeach Obama
• The impeachment of new president Obama
• Barack Obama can lost President’s Chair.
• POLITICAL STRIKE TIES
• McCain Lawyers Want to Stop Obama

This is to rouse the curiosity of users into clicking the link that connects to several malicious Web sites. When users access the sites, a bogus US government official website is displayed. It presents a fake video (actually an image) and tricks the user into downloading a fake Adobe Player installer from a URL ending in AdobePlayer9.exe. Trend Micro detects this file as TROJ_PACKED.JFP. It drops and executes TROJ_ROOTKIT.FX. Smart Protection Network also blocks users from accessing the malicious links in the spam, the fake video, and the URL from which the executable is downloaded.

Security