The Adobe Reader vulnerability (see previous ISC post - CVE-2008-0655) is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified.

Lou Giannelli wrote to tell us that the translation we linked to above totally sucks. So he offered to provide a much better version:

Hi, this morning I found myself cleaning three PC infected with a Trojan (a variant of Zonebac) that is not currently detected by the AV (an exclusivity, but at the same time, an old acquaintance). I take this opportunity to greet the staff of Libero. On all 3 PC, in the history there was the following IP at the time of the infection.
85.17.221.2

And among the temporary files, I found the following files (at the time of the infection).
Therefore, if you use IE and find this IP in the history, you have been infected by this Trojan. (it would be prudent to restrict this IP..)

I don’t want to name the involved portals, but for the time being I’ll watch the portals I suspect, expecting to be infected … (in fact, the infection takes place in a casual manner, perhaps through the banner)

I’ll inform the owner of the IP that such IP is hosting malware, and I’ll submit the infected files to AV vendors (so they can update their virus definitions) … and report this to the proper authorities (considering how expensive it is for those using dial-up connectivity).

Above all, a direct restriction to the portal hosting the virus is useless… considering the behavior in past similar cases. Bye, and keep your eyes peeled!

The truth will set you free.

Thanks Lou!!