Who's Behind the Adobe pdf Exploit?

« Adobe pdf Exploit Making the Rounds | Main | Bredolab Trojan Botnet Dismantled »


Who's Behind the Adobe pdf Exploit?

Kevin R. Smith

Now that researchers at places like Symantec (makers of Norton Antivirus), have had a chance to delve into the exploit, some theories are starting to come out about who's behind it.

Karthik Selvara, a researcher for Symantec says, in a Symantec blog,

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January....

Where it gets interesting is in the disection Karthik does.

He takes apart various parts of the email, the social engineering, and the exploit itself, and lo and behold, the techniques are eerily similar.

  The next quote is a little long, but given how concisely Symantec describes the exploit and attck, we'll let the Symantec blog speak for itself here,

If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks.

"In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation.

"Furthermore, we have seen a large number of detections of unique versions of the PDF--not yet seen elsewhere in the wild--coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks. [Editor's Note: Emphasis mine.]

"All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators.

"The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.

Huh. Attacks based in China. Who would have guessed?

Frequent readers may recall a list we shared not long ago of the Top 10 Riskiest Domains by Extensions, where China placed third in this notorious list.

All-in-all, aside from the excellent analysis by Symantec's researchers, we'd also like to echo their equally excellent suggestions about pdfs.

  1. keep your antivirus software up to date
  2. exercise caution when dealing with PDF files
  3. disable javascript in your pdf reader (i.e. Acrobat/Reader)

One last note, all the major antivirus vendors are detecting this attack, with Norton snaring it as, "Bloodhound.PDF!gen1" and as Bloodhound.Exploit.357.


You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.