Curiosity as a Malicious PDF

What would you do if you saw an email in your inbox with a PDF named “U.S. ship thwarts second pirate attack November 18, 2009.pdf”? Would the title pique your curiosity? I hope not enough for you open the document!

This PDF is the latest in the ugly line of exploit- and malware-ridden embedded PDFs that damage your computer. If you were unfortunate enough to open the file, you’d see what the malware writers expect you to see: a file named “Adobe.pdf” with details on a real story about piracy off the coast of East Africa.

But behind the scenes, sinister things occur. The malicious PDF runs some JavaScript that exploits the Adobe Collab overflow (CVE-2007-5659) and Adobe getIcon (CVE-2009-0927) vulnerabilities. This screenshot shows the beginning of the compressed JavaScript stream:

In addition, two variants of ProcKill-EM are dropped into the Windows system folder, usually C:\Windows\system32.

As always, if you receive a document–PDF or otherwise–from someone you don’t know, don’t open  it. And even if you know the document’s sender, scan the file with your anti-virus program with the latest signatures before you open it.

McAfee customers are protected in the 5809 DATs against the threats mentioned above, as Exploit-PDF.aa and ProcKill-EM. Keep your signatures up to date and stay secure!