Malicious PDF files being spammed out in volume

F-Secure has been monitoring a large mailing of malicious PDF files. These PDF files exploit a recent vulnerability. When such PDF files are viewed on vulnerable machines, they get infected.

An unknown party has been sending out tens of thousands of mails with Subject-lines like:

• Your credit report
• Personal Financial Statement
• Your Credit File
• Balance Report

The mails contain no mail body, only an attachment called "report.pdf". When opened, the PDF file uses the CVE-2007-5020 vulnerability via Acrobat Reader and IE7 and downloads further malware from a server in Malaysia. The target of the malware seems to be to create a botnet of infected machines to be used for further malicious activity.

"We're worried about this case, as PDF attachments are typically not filtered at email gateways", says F-Secure's Chief Research Officer Mikko Hypponen. "Executable files are now stripped almost everywhere, but PDF is stripped almost nowhere".

"Also, a security update for Acrobat Reader was just made available few days ago, so there are tons of users who haven't had a chance to update yet".

F-Secure Anti-Virus detects the report.pdf malware as Exploit:W32/AdobeReader.K.

Further information is available via F-Secure blog at http://www.f-secure.com/weblog/