PDF-Exploit for recently closed security hole

Adobe released version 9.3.1 of Reader and Acrobat mid February. These versions fix a vulnerability which allows attackers to inject malicious code by luring victims into opening specially prepared PDF documents. Avira saw malicious PDF files appearing in the wild which abuse the vulnerability in outdated Adobe Reader and Acrobat recently.

Upon opening the PDF file with a vulnerable version of Adobe Reader the software crashes and a malicious executable named “a.exe” is created in the system root “C:”. This dropped component is a trojan which was detected with Avira’s AHeAD technology as “TR/Downloader.Gen”. To give it a more special name it will be detected as “TR/Dldr.Zitan.A” with one of the next Updates.

The Trojan adds an autorun entry to the Windows registry: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]Adobe_RLX=”c:%filename%.exe reader”. After that it transmits DNS resolve requests for some domains – ftp.tia***.***.biz and tia***.***.biz. The behavior of such PDFs – exploiting the vulnerable application and dropping a Trojan afterwards, which is then executed automatically, is quite common.

Starting with Virus Definition File 7.10.05.06 Avira IT-security solutions detect the malicious PDF as “EXP/Pidief.axa”. Avira users thus are safe from the threat. As always, to remain safe from harm it is wise to always update the software as soon as security updates are available – for 3 weeks the Adobe updates are already out. And as another counter measure it is a good idea to not open files from unknown origin.

Dirk Knop
Technical Editor