Websense Security Labs has identified a trojan campaign spreading the Zeus software via email, with over 2200 messages seen as of 10 AM Eastern time today. The attack uses a malicious PDF file, using an embedded command that asks users to open another file when viewed. The attached PDF file asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. This file is actually a Windows executable that installs the Zeus trojan.
The executable creates a subdirectory in the Windows SYSTEM32 directory, and installs configuration files for itself, before copying itself as an executable and modifying the operating system registry so that it launches during system startup. It connects to a Chinese server, according to Websense. Malicious file analysis service Virustotal says that the file in question was detected by 20% of the anti-malware products tested.
Mickey Boodaei, CEO of anti-malware company Trusteer, said that the attack fulfilled his prediction, made recently, that a flaw discovered in Adobe's PDF file format would be exploited to install malware. The flaw, discovered by researcher Didier Stevens, enabled attackers to use the Launch function within the PDF specification to exploit a fully patched copy of Adobe Reader. Stevens showed how alterations to dialog boxes presented by Adobe Reader could be used in conjunction with a social engineering attack to persuade users to let a PDF file launch an executable program.
"We said last week that cyber criminals and hackers will try to exploit this structural Adobe issue using social engineering techniques, which [lure] Internet users into a false sense of feeling safe and that is exactly what has happened this week," Boodaei said.