Matt Richard, director of the Rapid Response Team at VeriSign iDefense, told SCMagazineUS.com today that the exploits can be traced back to January, but went undiscovered by his team until late last week because the payload has little noticeable impact on the end-user.
The infection – which was not detected by the major anti-virus firms until iDefense notified them this weekend – is spread through malicious banner ads being hosted on legitimate websites, he said. Users, whose machines are not running Adobe Reader and Acrobat 8.1.2, are hit with a behind-the-scenes PDF exploit just by visiting the compromised sites.
The ensuing trojan, named Zonebac, does not include any information-stealing components, Richard said. Instead, the malware swaps certain banner ads with ones the scammers want to display.
But, Richard said, iDefense felt obligated to notify the anti-malware firms of the new exploits because other criminal groups, intent on financial fraud, could take notice and launch similar attack scenarios.
“What we wanted to get out to people was that it was being exploited,” Richard said. “At any moment, this could kick into high gear. We could have more PDF [exploits] all over the place – email, web -- pretty much anywhere.”
Last Wednesday, Adobe released its latest version of Acrobat and Reader to protect users from a number of security vulnerabilities, the company said in an advisory. Individuals still running version 7 were advised to upgrade, but they could implement a workaround.
The workaround, though, does not prevent the chance of an exploit as these users will still be asked to manually install the malicious code, Richard said.
Symantec estimates that “thousands of users” have been affected by the exploit, according to a Saturday blog post.
Richard said there were two distinct attack waves – one around Jan. 20 affecting users in Europe and another one 10 days later impacting mostly Americans.
The hackers purchased advertising space on a number of legitimate, but little known websites, Richard said. They then posted legitimate content on the ads, but silently redirected users to malicious content in the form of a blank, malware-laden PDF file.
“There's no user notification that this is happening,” Richard said. “Just displaying the banner ad is all that's required.”
Ad exchange firms have a difficult time stopping this attack because the criminal groups are adept at pulling a “bait and switch,” in which they remove the malicious code from the ads to avoid content scanning tools and then reinsert it.
Adobe spokesman John Cristofano told SCMagazineUS.com today in an email that the company was aware of the findings from iDefense and that users should upgrade to the latest edition of Reader and Acrobat.
The group responsible for the Zonebac trojan also was behind an October attack wave in which a RealPlayer zero-day flaw was exploited through third-party ads, Richard said.