Malware writers are massively spamming an exploit for the recently patched Adobe vulnerability, and experts expect the attacks to continue.
Ken Dunham, director of global response for iSight Partners, told SCMagazineUS.com today that one of his source’s honeypots received the infected email once every 10 seconds. This indicates “a fairly heavy spamming taking place,” especially for home users in advance of the weekend, he said.
The shadowy Russian internet service provider, Russian Business Network (RBN), is behind the attacks, which attempt to infect users with two rootkits that seek to steal personal and financial information from compromised PCs, Dunham said.
“You have what looks like a PDF attachment,” he said. “It’s actually exploit code designed to download code from a remote server.”
Adobe patched the bug Monday, so those who upgraded to Adobe Reader 8.1.1 and Acrobat 8.1.1 are safe.
But it appears a Microsoft Windows URL handling vulnerability is the underlying cause for the attacks. The software giant revised its advisory on Thursday in response to the in-the-wild exploits. No patch is available yet from Microsoft.
“Third-party applications are currently being used as the vector for attack, and customers who have applied the security updates available from these vendors are currently patched,” Microsoft researcher Bill Sisk wrote Thursday on the Security Response Center blog. “However, because the vulnerability mentioned in (the) advisory is the Microsoft Windows ShellExecute function, these third-party updates do not resolve the vulnerability – they just close an attack vector.”
Adobe, in a statement, said it was aware of the attacks.
“Adobe recommends users exercise caution when they are in contact with unsolicited communications that request action, such as opening attachments from sources they do not trust or downloading files from websites they do not trust,” the statement said.
Dunham said he anticipates PDF malware attacks to continue for several months while users continue to run out-of-date Adobe software.
“Adobe Acrobat is one of the most popular file formats out there,” he said. “Exploitation is trivial. You just double click, and game over.”
These attacks are being hosted by the RBN, and Dunham suggested organizations blacklist the known offending IP addresses.
“They have a very large net block with thousands of domains,” he said. “Pretty much not a day goes by where I don’t see some kind of RBN attack.”
Experts advise users to patch and not open PDF attachments they were not expecting to receive. Alternatively, users can drag and drop the attachment into a Notepad file to examine the code, Dunham said.
“If you see URLs and it looks like a script, you should be on guard for that,” he said.