For the last couple of weeks, we are seeing a wave of malicious PDFs crafted to exploit security flaws in PDF reader software. For the last two weeks alone, we have detected more than 25 000 attacks involving this type of file. Attackers are exploiting two different vulnerabilities in Adobe Acrobat Reader to execute arbitrary code on victim computers and install malware. The two vulnerabilities are described in details here: CVE-2007-5020 and CVE-2007-5659. Versions of Adobe Acrobat Reader higher than 8.1.1 are not vulnerable to these attacks. We have seen malicious PDFs being distributed as email attachments but also in exploitation packs like NeoSploit that use this file as another way to attack web browsers.
ESET NOD32 Antivirus detects PDF threats as PDF/Exploit.Pidief. The final payload of these attacks is, most of the time, to install a fake antivirus like XP Antivirus which is detected as Win32/Adware.Antivirus2008 by our antivirus.
Author Pierre-Marc Bureau, ESET