New PDF malware spam (Apr 28, 2010)
SonicWALL UTM Research team discovered a new PDF malware being heavily spammed in the wild since last night that exploits the Adobe PDF flaw. More information about the PDF flaw is available here – Social Engineering Attack Against Adobe Reader (Apr 01, 2010)
The e-mail pretends to arrive from the respective mail domain administrator or operator. It informs the user to read the instructions in the attached PDF file related to new mailbox settings. The e-mail messages looks like below:
If user opens the PDF file, it prompts the user to click the open button in order to view the document as seen below:
However, the actual batch code that gets executed is hidden above in the dialog box which can be seen here:
Once the user clicks on the open button, the embedded batch code gets executed as shown above. It drops a malicious Trojan executable at following location and executes the Trojan:
- C:Program FilesMicrosoft Commonsvchost.exe [Detected as GAV: Bezopi.A (Trojan)]
The Trojan attempts to connect to a predetermined list of malicious domains like jademason.com, 1foxfiisa.com, dolsgunss.com and sends following GET request:
- GET /lde/ld.php?v=1&rs=55274-337-9393301-(removed)&n=1&uid=1 HTTP/1.0
SonicWALL Gateway AntiVirus provided proactive protection against this malicious PDF spam attack via GAV: Suspicious#pdfexec (Exploit) signature. Signature has blocked more than 650,000 instances of this spam e-mail in last two days.
Geographical mapping of the spam attack via IP location:
World Map
North America Map
