Acrobat経由でダウンローダがスクリーンセーバを落とすそうです。

We have discovered a new Adobe Reader/Acrobat exploit (detected since 24 June 2008 as TROJ_PIDIEF.AC) hosted on the following URL:

http://{BLOCKED}e-actions.com/secure.cgi?…

The vulnerability targeted by this Trojan causes Adobe Acrobat to execute arbitrary malicious code that downloads and executes a file found in:

The downloaded file is saved inside a temporary folder as Eyal.exe. Trend Micro detects this file as TROJ_DLOAD.BO. This Trojan modifies the current wallpaper of the infected user to:

PDF Exploit Causes BSoD??? - TrendLabs Security Intelligence Blog

According to the Adobe Security Bulletin on this issue, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2. From our analysis the exploit does work on lower versions but only causes 8.1.2 to crash.

We believe that this was not the first time this specific vulnerability was exploited. So far, we have two other reports of malicious PDFs that behave in somewhat the same manner as the exploit discussed here. They are TROJ_PIDIEF.NN (detected since 07 June 2008) and TROJ_PIDIEF.AE (detected since 24 June 2008).

As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads. It thus becomes all the more important to employ a protection suite that cuts off infection at various points of the attack.

PDF Exploit Causes BSoD??? - TrendLabs Security Intelligence Blog

関連URL

• Adobe AcrobatとReaderの脆弱性突くコード出現 - ITmedia エンタープライズ