New Year, New Attacks Against Adobe Zero-Day

Crooks are once again exploiting the zero-day hole in Adobe Reader and Acrobat to install a remote-control Trojan on victim machines.

The attacks start with a malicious .pdf that the Internet Storm Center has analyzed in depth. The ISC is a volunteer organization that tracks Internet attacks.

As the ISC notes, "malicious PDF documents are not rare these days," and attacks typically attach them to e-mails. But targeted attacks only sent to a small number of victims are often missed by security programs, and the attack sample sent in to the ISC was initially detected by only six out of 40 antivirus vendors, according to the analysis.

This particular attack attempts to install the PoisonIvy Trojan, which allows an attacker to gain remote control over an infected PC. It also drops off a harmless .pdf file named baby.pdf and then opens it with Reader, a bit of digital sleight-of-hand intended to disguise the attack.

The Adobe flaw has been under attack since it was disclosed last month. In its security bulletin, Adobe notes that for some combinations of Windows and Reader versions, this security hole will only allow for crashing Reader instead of installing malware.

In the bulletin, Adobe says it will release an update on January 12th, but until then the ISC suggests disabling Javascript in Reader and Acrobat (instructions in the bulletin). Using an alternate .pdf reader such as Foxit should also help mitigate the threat.

Subscribe to the Security Watch Newsletter

Comments