Looking into their crystal balls (no jokes, please) at the end of 2009, our colleagues in Latin America came up with a prophecy that was later incorporated into a white paper (2010: Cybercrime Coming of Age):

In June 2010, one of the most popular regular sports events, the soccer World Cup, will take place in South Africa. We can expect that this will be a widely exploited topic in social engineering attacks, due to the great interest it will inspire in many users.

Well, we did also say:

A very common use of social engineering in the context of malware is to attract the attention of the potential victim sitting in front of the computer. A particularly effective way of achieving this is to make use of topics that have importance in people’s lives, or which currently preoccupy the media, or even to invent eye-catching stories..

So I guess that it's not too surprising that a World Cup-themed malware attack has made an appearance, as reported by John Leyden in The Register here. The attack takes the form of an email allegedly from safari organizer Greenlife, containing a PDF attachment based on Greenlife's genuine guide to the "first African edition of football's most prestigious tournament": that's soccer, by the way, not football as it's most often played in the US, in case you missed the reference above. However, the attachment is rigged to take advantage of an Adobe Reader vulnerability to install malware onto machines that haven't been updated with the patch released on the 16th February (CVE reference CVE-2010-0188, Adobe reference http://www.adobe.com/support/security/bulletins/apsb10-07.html).

So the take-home messages are:

  1. Make sure you're up-to-date on your Adobe patching (and any other high risk application patches, not to mention OS patches)
  2. PDFs are a risky format these days: if they come from an unrecognized source, or come unsolicited, that makes them all the more risky (and suspicious)
  3. Keep in mind our advice above: any interesting event (real or imagined) is likely to be used as a hook for social engineering and malware distribution.
  4. And, of course, check that your antivirus software is up-to-date. I'm not sure how many vendors have detection for this now, but we detect it as PDF/Exploit.CVE-2010-0188.

 Kudos to Messagelabs for catching this one early and a very comprehensive description.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/