New PDF malware spam

April 28, 2010

SonicWALL UTM Research team discovered a new PDF malware being heavily spammed in the wild since last night that exploits the Adobe PDF flaw. More information about the PDF flaw is available here - Social Engineering Attack Against Adobe Reader (Apr 01, 2010)

The e-mail pretends to arrive from the respective mail domain administrator or operator. It informs the user to read the instructions in the attached PDF file related to new mailbox settings. The e-mail messages looks like below:

screenshot

If user opens the PDF file, it prompts the user to click the open button in order to view the document as seen below:

screenshot

However, the actual batch code that gets executed is hidden above in the dialog box which can be seen here:

screenshot

screenshot

Once the user clicks on the open button, the embedded batch code gets executed as shown above. It drops a malicious Trojan executable at following location and executes the Trojan:

  • C:Program FilesMicrosoft Commonsvchost.exe [Detected as GAV: Bezopi.A (Trojan)]

The Trojan attempts to connect to a predetermined list of malicious domains like jademason.com, 1foxfiisa.com, dolsgunss.com and sends following GET request:

  • GET /lde/ld.php?v=1&rs=55274-337-9393301-(removed)&n=1&uid=1 HTTP/1.0

SonicWALL Gateway AntiVirus provided proactive protection against this malicious PDF spam attack via GAV: Suspicious#pdfexec (Exploit) signature. Signature has blocked more than 650,000 instances of this spam e-mail in last two days.

screenshot

Geographical mapping of the spam attack via IP location:

World Map

screenshot

North America Map

screenshot