While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by the sample which I've never encountered before. After a bit of research I came to the conclusion that this specific sample exploited CVE-2010-0188. This is a fresh vulnerability, information about which was just published this February. It is described as possibly leading to arbitrary code execution, which is exactly what’s happening.

 

When the PDF file is loaded, Adobe Reader opens and then closes, while an executable file named a.exe is dropped directly onto the C:\ drive. The dropped executable, which is actually embedded into the PDF file, tries to connect to a .biz registered domain to download other files. JavaScript is again used to successfully exploit this vulnerability, so disabling it for unknown documents might be a good idea.

 

We currently detect the malicious file as Exploit:Win32/Pidief.AX (SHA1: 908ae499a474e3006253417c658e055a633e75a1) and the dropped malware as TrojanDownloader:Win32/Qaantiz.A. 

 

Fortunately Adobe has released an update to address the vulnerability which is offered automatically to all users. Read Adobe's security bulletin here and upgrade to the latest version of Adobe Reader and Acrobat. Users can pull down the 'help' menu and click on 'check for updates' to ensure that they're running the latest version.

 

As good practice, we advise every user to always update their programs as well as their operating system. We also advise users not to open files whose origins they don't trust.

 

Marian Radu
MMPC Dublin