Adobe's Vulnerability Fix May Have Triggered Trojan Outbreak

A mere day after Adobe made available a patch for its Reader and Acrobat software that plugs a vulnerability in how that software is leveraged to exploit Windows XP and Internet Explorer 7, technicians at Symantec and elsewhere noticed active exploits in the wild.

"So far we have seen a fair number of emails containing this new Trojan in the wild," wrote Symantec engineer Hon Lau last week. "It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations."

Sophos Labs currently rates the prevalence of the exploit as "Low," and has dubbed it Troj/PDFex-A. As its engineers explain in a bulletin updated yesterday, the version they've discovered "will often arrive as a PDF document attached to an email with a subject line of INVOICE or STATEMENT." Symantec's note says the subject line may actually include "STATEMET," noting the misspelling.

There's nothing particularly unique about the payload it delivers either. Once the offending PDF is opened, Symantec explained, an intentionally malformed URL will trigger the execution of the typical Trojan "Downloader" file, in use since 2001.

Despite the fact that the total assembly time for this exploit may have been less than 10 minutes, given the fact that the entire trigger for the payload was given in a proof-of-concept explanation by a security engineer last month, the typical band of Russian suspects appears to be falling over themselves in a race to take credit. Security engineering form SecureWorks discovered the Trojan prior to Symantec. It believes the payload being delivered is a form of the Gozi Trojan which the company last August claimed was being delivered by servers associated with the Russian Business Network (RBN).

All current and updated versions of Symantec's and Sophos' anti-virus programs are said to be capable of detecting and removing this Trojan.