A malicious PDF file has turned up which exploits a new security vulnerability in Adobe Reader and Acrobat – even in the most current version 9.3.4 and 8.2.4, on all supported platforms. There is currently no update available from Adobe which fixes the vulnerability. The company is aware of the problem though.
The weakness is a buffer overflow within the CoolType.dll of the Adobe Reader and Acrobat installation. While parsing a PDF document with specially prepared SING (Smart INdependent Glyphlets) fonts it is possible to abuse the vulnerability to execute malware.
The malicious PDF has been used in limited attacks only currently. It seems to be an early implementation of the exploit as it crashes the Reader upon opening the file; though after that another PDF file gets opened to somewhat hide that an infection took place.
Upon execution the exploit PDF first checks if the Reader is vulnerable and in case the version is too old for this exploit, shows a message that the user should update to a newer Adobe Reader version. It then drops the file “Documents and Settings<Username>\Local Settings\Temp\hlp.cpl” which is detected as the Trojan TR/Dldr.Small.pgn and starts it. The dropped Trojan in turn tries to download http://xxxxxxxxxxx.us/from/wincrng.exe and to store it as winhelp32.exe – this file is offline, though. Also, it drops the camouflage PDF to “Documents and Settings<Username>\Application Data\golf clinic.pdf” and opens it via a function in the Trojan called “MakeAndShowEgg”. After all this, the cyber criminals try to wipe the traces of the attack and create the batch file DMS.BAT which deletes the Trojan hlp.cpl.
As there is no fix available yet it is very important to be cautious about which PDF files to open. Don’t open PDF files sent by email from strangers and also relinquish opening PDFs from websites which you don’t really need. Where it is possible, using alternative PDF readers such as the basic embedded one in Google Chrome or Foxit PDF Reader (which isn’t affected by this vulnerability) is a good idea.
Avira has added detection for the malicious PDF as EXP/Pidief.WM.