Adobe is still discussing what to do about a design issue affecting its software that is being exploited by attackers, who are infecting users with the Zeus Trojan. According to Websense, the malicious PDFs being spammed out by attackers are leveraging the launch action feature used by PDF viewers such as Adobe Reader and Foxit Reader.
Adobe Systems has not made a decision whether to change its approach
to the launch action feature
in Adobe Reader now being abused in a malware
A spokesperson for Adobe told eWEEK Friday the company is still evaluating
if it will do anything to address a design issue that is being roped into an
attack campaign infecting
users with the Zeus Trojan
. According to Websense, attackers have been
sending e-mails with a malicious PDF file. The attack is similar to a
technique security researcher Didier Stevens disclosed roughly two weeks ago
that used the launch action function to launch an embedded executable in a PDF
triggered a warning dialog in Adobe Reader, and Foxit
Software updated its Foxit Reader recently to provide a warning as well.
According to Adobe spokesperson Wiebke Lips, the warning provided by the
company's software contains "strong wording advising users to only open
and execute the file if it comes from a trusted source."
"This is an example of powerful functionality relied on by some users
that also carries potential risks when used incorrectly," Lips has said.
While the attack reported
is similar to that of Stevens, it appears technically
to use a Metasploit module developed last year.
"The Metasploit Framework has had support for the PDF Launch method since
August of 2009, when Colin Ames of Attack Research released the module as part
of his Black Hat USA presentation," said HD Moore, founder of the Metasploit
project and chief security officer at Rapid7. "The technique to hide the
malicious command was disclosed by Didier Stevens when he independently found
this feature in late March."
According to Websense, the attack works this way: Users receive a malicious
PDF file which contains the threat as an embedded file. When recipients open
the PDF, it asks them to save a file called Royal_Mail_Delivery_Notice.pdf,
which is actually a Windows executable.
"The file you would be saving is the hidden embedded Trojan, which then
launches automatically," explained Carl Leonard, senior research manager at
Websense Security Labs.
Once the malicious PDF launches the dropped file and takes control of the
computer, it connects to an attack server in China,
Zeus is best known as a data-stealing Trojan targeting online banking
information. It is widely available on hacker forums, with variants selling
from a few hundred to several thousand dollars.
considers whether or not
it will adjust the launch action feature or leave
it as is, there are a few steps users concerned about the issue can take
to protect themselves.
"There are a three simple things home users can do to protect themselves," Moore
advised. "The first and foremost is to ensure that their copy of Adobe Reader
is updated with the latest patches. The Launch action requires user
confirmation, but many of the previous Reader vulnerabilities required no
action at all on the user's side.
the final thing is to change the Trust settings within Adobe Reader to prevent
external, non-PDF attachments from being launched," he said.