Thursday, March 27, 2008

Chinese pdfs

Don't open them, at least not if you're a Tibetan dissident:

Here's an email that was mailed to a pro-Tibet mailing list three days ago.

It looked like it was coming from the Unrepresented Nations and Peoples Organization (UNPO). However, the email headers were forged and the mail was coming from somewhere else altogether.

Seemingly, the mail issued a statement of solidarity for the people of Tibet
When you open the attached PDF file, you actually get a real PDF document with a relevant statement
However, this is not a normal PDF document. It contains a modified version of a PDF-Encode vulnerability
to exploit Adobe Acrobat when the document is opened.

The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at And is a Chinese DNS-bouncer system that, while not rogue by itself, has been used over and over again in various targeted attacks.

The exploit inside the PDF file was crafted to evade detection by most antivirus products at the time it was sent.


No comments: