Trend Micro researchers spotted a spam run that purported to come from the American Institute of Certified Public Accountants (AICPA). The spammed message claims that the organization received notice of the recipient’s possible assistance in an unlawful tax refund activity.

As such, the recipient’s CPA license can be revoked because of such involvement. The recipients must click on the link provided to prevent license termination. However, clicking on the link leads to the download of a malware detected by Trend Micro as TROJ_PIDIEF.SMNT. When executed, TROJ_PIDIEF.SMNT exploits the following vulnerabilities:

  • Adobe Acrobat util.printf Buffer Overflow
  • Adobe Acrobat collab.getIcon Buffer Overflow
  • Adobe Reader media.newPlayer Exploit
  • Adobe Acrobat Collab.collectEmailInfo Buffer Overflow

These vulnerabilities are old and can lead to the download of malicious files once successfully exploited on the infected systems. According to Trend Micro Solutions Evangelist Ivan Macalintal, cutwail botnet is probably behind this spam run. Cutwail/Pushdo botnet is a spamming botnet which is reportedly taken down last 2010. However, a few days after its takedown, it launched a Facebook spam run.

Spammed messages often spoof well-known organizations in order to appear legitimate to recipients. Users should be wary when they encounter such messages. For official announcements, it’s best to contact the organizations or to visit their official websites. Trend Micro protects users from this spam run via its Smart Protection Network that detects the spam and related malware.

 SPAM BLOCKING DATE / TIME: February 17, 2012 GMT-8
  • PATTERN:8716