Background of the Attack
What happens in this attack?
Users may either receive spammed message or unknowingly download a specially crafted .PDF file from a malicious site. Cybercriminals could then exploit the CVE-2009-4324 vulnerability in their Adobe Reader and Acrobat software, which may allow remote users to execute a malicious code embedded in specially crafted .PDF files on their systems. This also uses the vulnerability to drop other malware onto the affected system, which connect to a remote URL.
The diagram above illustrates two recent versions of this attack, both of which appeared after Adobe released a security bulletin in January. This is a developing story. These exploit codes take advantage of CVE-2009-4324 to connect to URLs to download other Trojans onto affected systems.
What are the known detections in this attack?
The first two rounds of vulnerability attacks occurred in December and in the early part of January before Adobe the released the update. The first zero-day attack led to the detection of TROJ_PIDIEF.PGT, TROJ_PIDIEF.PGS, and TROJ_PIDIEF.PGU. The second attack, which occurred a few days before the update's release, led to the detection of TROJ_PIDIEF.WIA, which dropped BKDR_POISON.UC. The most recent attack ensued after the update's release, which led to two separate infection chains, each beginning with TROJ_PIDIEFX.F and TROJ_PIDIEF.SHK.
Why is this attack noteworthy?
Am I at risk?
So what can I do to protect my computer?
An important first step is to download the appropriate Adobe Reader and Acrobat updates to prevent exploit attacks. This would also prevent other applications on user systems from being exploited. Adobe also plans to release an automatic/silent updater that will automatically patch systems even without user intervention to hopefully lessen the number of users who can be victimized by attacks employing exploits for already patched vulnerabilities.
It is also important to constantly exercise caution when opening .PDF files, particularly those attached to email messages from unknown sources or those downloaded from the Web.