Feeds

back to article Nasty PDF exploit runs wild

A day after Adobe patched a serious security hole in its Reader and Acrobat programs, miscreants are flooding email inboxes with malware-tainted PDF files that try to remotely hijack vulnerable computers. The malware, identified by Symantec researchers as Trojan.Pidief.A, is included in PDF files attached to a "fair number of …

COMMENTS

This topic is closed for new posts.
Flame

how to deal with the ru55ians

the only way to deal with a company like that (which openly breaks international laws like that and is basically just pure scum, but protected by politicians and bribes and bought favours etc), is to cut off the whole of russia.

the rest of the world should annex russia from the phone system until its politicians get their act together enough to play ball and stop the child porn hosts and other scams. or maybe just st petersburg.

under that sort of pressure they will break under the anger of fellow russians. i mean, im sure most people are honest and decent, but they need to sort it out and stop spoiling it for everyone.

its kind of like the argument about muslims sitting by and saying that most of them are innocent and peaceful, instead of taking upon themselves to oust their disruptive element, seeing as they have the closest ties and best ability to do so. (or any other religion etc)

i dont like spamware and trojans and phishing scams and having to spend hours virus checking and fixing my non-IT-literate-relative's computers. wouldnt it be much easier for someone to just cut the whole place off for a bit?

for example like the Russ1ans did to the australian bank website.

read this

http://economist.com/displaystory.cfm?story_id=9723768

ps. yeah i know the activists will get a bit moany if we cut off russias communications, but if what VeriSign say is true ("Every major trojan in the last year links to RBN") then I think we certainly need to do something drastic and extreme.

0
0

WTF?

"nearly identical to September 2006 Vector Markup Language (VML) zero-day attacks that took place one year ago"

As oposed to the September 2006 attack that took place five years ago?

<sigh>

0
0

@ Aubry

It's from the same department as those who make the signs saying "imported bananas". Because we all know the ones that aren't imported aren't as good. Or something.

0
0
IT Angle

Anyone know the ip range for...

"Russian Business Network" I'd sure like to add them to my hosts file

:)

0
0
Stop

@Jesus Puncher

I know - lets run the possibility of totally disrupting a country's economy so that we can shut down something that we don't like.

Next, if that is done and works, lets cut off the communications links from Iraq, since they are still fighting back and objecting to being "liberated".

Then do the same to Iran, since they're not playing nice and are developing a nucular program.

Next stage would be spam nets - let's kill any ISP that allows its users to have infected machines.

Finally, lets get all the lies off the internet. Any website that contains lies designed to misrepresent the great and good truths of the world (democracy is perfect, Christianity is the one true faith, etc) should be banned!

Comrade, our work is done.

0
0

no longer executable attachments are dangerous

what i'm worried about is that the conventional notion of only _executable_ attachments being dangerous no longer applies

we've already seen MS-Word documents (using macros) and other types of non-executable (now including pdf) documents become dangerous

non-informed, or casual informed users will not expect dangers from such attachments and happily open them not expecting anything bad to happen.

i dont really have a point here, except to say that it's impossible for all users to get streetwise to every possible threat.

kudos to Adobe for fixing this thing quickly

0
0
Stop

Foxit Reader

I dumped Adobe Reader ages ago and switched to Foxit Reader instead. Much smaller and faster. www.foxitsoftware.com

0
0

What about other PDF readers?

I gave up using Adobe's slow and bloated reader a long time ago. I use Foxit Reader which is free and fires up in seconds. Does anyone know if this or other alternatives are affected by this exploit?

I'm tempted to add something to the effect of Reg readers not being stupid enough to open unsolicited attachments, but nobody's perfect, and the scammers are getting cleverer (naming the attachments things like "INVOICE.pdf").

0
0
Go

Re: how to deal with the ru55ians

And just think how clean our inboxes would be if there was no spam coming from russia. Unfortunately we would all miss the "My name is ------- and I am from Russia, I would like to send you my pics and meet up for ....." "just send me your bank details so I can by a plane ticket to cum meet you" messages I get.

0
0
Paris Hilton

ISP IGNORANCE !

I think the solution to this is very simple - the debate about ISP's taking ownership of such problems has been an ongoing issue. The problem being the corporations supplying the detection software want the additional license money from the individuals - which is fair enough.

I think a similar scenario would have to be making guns legal in the UK and us having to purchase bullet proof vests, if we didn't purchase them then it would be our own fault for not doing so in the event of being shot.

It's a simple system to put in place but then again this may stop the authorities using the same tactic -

http://www.theregister.co.uk/2007/10/23/teutonic_trojan/

A scenario one organisation is considering against an ISP is that by allowing this type of attach to pass through their systems unchallenged they are effectively condoning the attack. Sanctioned by inaction.

Anyhow, the issue in my opinion isn't about individuals carrying out such attacks as in modern business you will do what you have to to survive - its about stopping them and removing the option.

0
0
Silver badge

I just love this situation

Here we have an ISP who, by popular knowledge, provides "bullet-proof hosting" to criminal organizations. Everyone knows it, it's practically flagged on Mappy with a great big sign, yet nothing is done about it.

I should hope that a truly working Russian police force would be tracking its users right now, checking each one of them to weed out any possible innocents, and nailing the real criminals to the wall.

Oh, sorry, I must have watched too many American cop stories. I forgot that the Russian mafia already owns the head cop in every district.

0
0
Silver badge
Flame

You get what you deserve

If you are STILL stupid enough to run closed-source software, you deserve whatever the hell you get. There is Open Source software available to do everything, nowadays (including reading and writing PDF documents). Knowing what I know, I'd sooner use a pencil and paper than closed-source software.

Any software whose Source Code has not been independently audited (i.e., by someone other than the vendor) should be considered potentially unsafe. Any software whose vendor is unwilling to supply the Source Code for audit should be considered actually dangerous. You wouldn't buy a cake without a list of ingredients and a breakdown of protein, fat and carbohydrates, would you? Would you stand for the manufacturer telling you it was none of your damned business what was in their cakes? Why the hell are you putting up with this sort of behaviour from software vendors?

IT buyers -- you're in a great position to do something about this. Demand the Source Code; and if your suppliers won't budge, then *you* budge. Tell them straight -- if other people are willing to show us their Source Code which does the same as what your program does, then it can't be *that* special. Harassed family members -- just give your granny Ubuntu or Mandriva and let her get on with surfing and e-mailing, and get your kids a games console (or maybe send them into the Big Blue Room to get some fresh air and exercise). Everybody -- write to your MP and demand that the vile practice of concealing Source Code from users be outlawed.

0
0
Anonymous Coward

@Jesus Puncher

Nice, punish 140000000 people because a few of them publish malware. I think we should shoot all Reg posters because some of them are intollerant generalists.

/pops self

0
0
Stop

Cut off Russia? oh yeah...

... that would work </sarcasm>

1 Cutting off the phone system wouldn't stop internet traffic

2 They would cut off the west from their oil and gas in retaliation - £2/litre petrol anyone? No central heating this winter?

3 They managed for years as a super power with little telephonic communication with the west. Putin would just retrench back into Soviet style cold war politics.

4 Trojan sites moved to satellite countries - cut those off too? where do you stop? Some ex-Soviet satellites are members of the EU now; cut off all of Europe? How about China?

5 What about phone lines routed through Russia? Assume the Russians wouldn't tap into those or cut them off too? So that is about two-thirds of the world cut-off by now.

Why not cut off the US too, as they are the source of about 80% of spam?

If you want to cut-off anything (rather than your own nose to spite your face) why not persuade ISPs to block/label all emails with RBN's IP addresses in the header. That at least has the benefit of actually being possible - it's already being done for some IP addresses, by ISPs in the US and Europe.

0
0
Silver badge
Stop

@Jesus puncher

While were at it, lets disconnect the USA. One of the largest providers of Spam and kiddie porn...

Stu..

0
0
Silver badge

@Jesus Puncher

How about you cutting yourself off and thus isolating the Russians and the entire world, keeping yourself secured and doing the humanity a great favour in the process?

And you cannot cut anyone off by "annexing" - to annex means "to add".

BTW these viruses only work because of failings in the poorly written software such as Windows and Acrobat and those are not Russian.

0
0

@AJ Stiles

Great idea. I can see the media furore now... the scourge of Closed Source software.

@AC

I agree totally. Some of them can't even spell 'intolerant'.

0
0
Silver badge
Flame

@Stiles

You wouldn't buy a cake without a list of ingredients and a breakdown of protein, fat and carbohydrates, would you?

err yes most people aren't that anal.

Just because you have a list of ingredients doesn't mean you know who to put it together. Never drunk Coke?

After all a car is a lump of metal and plastic. Pop to Ford and ask for the detailed plans (engine design, ECU assembly and programming) and see what they tell you.....

In fact why doesn'y everybody just give up trying to make money, share everything with everyone.

Damn that's called Communisum and the good ol' USofA won't like that.

0
0
Paris Hilton

@ AJ Stiles - caveat emptor

Let the buyer beware still apples, but this is based on the unvoiced "let the buyer be aware". Software is purchased by wonks in business organisations who DO NOT CARE or even bother to try to understand the distinction between open- and closed-source. The other category of purchaser is those who just want to get on t'internet to see PH's bedroom antics NOW! The remaining 0.00236% (us) understand your point and agree with you.

The correct economic incentive for purchasers in business organisations is to make the Purchasing Boss and all his team PERSONALLY liable for the cost of business disruption arsing from a published exploit.

The cake analogy could backfire...

M$ 'disclosure' would be along the lines of: "this software contains 5.7 % enumerated types and gives the user a wide range of rich application execution experiences" i.e. typically fatuous and unhelpful.

0
0
Coat

@Stiles, @Stu Reeves

Where's Richard Stallman when you need him? :-)

0
0

The update only seems to be available for Windows?

It's so strange, but there doesn't seem to be an update for Mac or Linux, just Windows.

Why do Windows people get all the attention?

0
0
Thumb Up

@Dave - with great power.....

I think you could possibly get people for that anyway - and it sounds like a great idea to me.

"Corporate negligence" should cover it, and allows you to go after management rather than the poor saps (like me) on the floor that can't do anything about it anyway.

(apologies for the spiderman quote, and even more apologies for not knowing the original source)

0
0

PDFs are not non-executable

Unfortunately, these days PDFs aren't exactly non-executable. Adobe decided to add JavaScript scripting a while ago and didn't think the security model through too well...

0
0
Thumb Up

@ Vladimir Plouzhnikov

An outstanding point Vladimir - why are we blaming individuals for defaults in the software?

If you leave your keys in your car and its stolen your insurance is void -

If it goes on fire through a manufacturing defect the manufacturer is liable -

If Microsoft or Adobe f**k up we have to buy the next version to resolve the problem fully or accept an update which throws something else out!!!!

Where does it say on the Microsoft or Adobe EULA

"The chances of this product being compromised is highly likely and any personal data stolen may bankrupt you. This is not our fault as we do make the effort to secure our systems"

Most shocking findings to date for me personally - Office 2007 is a patched locked down version of - Office 2003 which s a patched locked down version of - Office 2002 which s a patched locked down version of - Office 2007 which s a patched locked down version of - Office 97.

Same applies from Vista - XP - 2000 - NT

Yet they were bundled as new operating systems and priced accordingly.

Bottom line - you go for products from the big guys and get burnt - go cry elsewhere.

0
0

Not quite...

"BTW these viruses only work because of failings in the poorly written software such as Windows and Acrobat and those are not Russian."

No. They work because of 2 facts: 1) to err is human and 2) there are scum willing to exploit their fellow human beings. It could be any software exploited by any nationality so saying that any given problem is the specific fault of anyone is kinda unfair. 419'ers have been quite scummy without having to resort to exploiting faulty software. It's a human condition, and if we can't handle that we deserve to fail.

Instead we could have a bit more productive discussion by acknowledning the facts and then try to figure out which infrastructure to handle it. Here in Denmark we have something cooking that's beyond idiotic and far into dangerous: Digital Signature. One key to rule them all, banking, public services, real estates, mortgages - everything in one encryption key. I'm not participating. My PC is not and never will be secure enough to hold anything remotely like this. I'll live with a fragmented life and enjoy the fact that even though my credit card may be abused I still have a house to live in.

0
0
Anonymous Coward

PostScript is a language ...

Correct me if I'm wrong but last time I looked, PDF is just a standardized markup language ... basically PostScript with comments and extra functions. PostScript is a stack-based programming language, albeit for typesetting (inc. displays). So PDFs have been always 'executed' by a PostScript/EPS/PDF engine, no?

0
0
Anonymous Coward

@Gilbert

The vuln. only effects the systems with installed Microsoft Internet Explorer 7. That's why there is no update for Mac or Linux.

0
0
Pirate

PDFs were /never/ non-executable

PDF is a derivative of postscript, which is a fully turing-complete interpreted language. They trimmed some of postscript's more egregriously risky features, like access to the i/o and filing systems, but it's always basically been that a PDF is an executable script.

0
0
Gates Horns

Version?

The update appears to be just for the latest version of Reader. Does that mean that older versions are OK? I'll just go on using Firefox, I guess...

0
0
Silver badge

@Glenn Gilbert

Linux -- and OpenSolaris -- users don't need no stinkin' Adobe Acrobat! We can just use kpdf (KDE), evince (GNOME) or xpdf. Both OpenOffice and kOffice can export PDF natively, and *any* application running under KDE or GNOME can "print" to a PostScript or PDF file.

You can probably even persuade some or all of the above to compile on a Mac.

Now, how about a campaign to educate the masses about alternative, Open Source PDF viewers? The statement "requires Acrobat Reader" which often accompanies PDFs on web sites is just flat-out untrue -- I can't see any difference between this, and an audio CD claiming on the box that it requires (for argument's sake) a Philips CD player to listen to it (which would be a breach of European competition law).

0
0
Anonymous Coward

@everyone who @Jesus Puncher

graham t - "They would cut off the west from their oil and gas in retaliation - £2/litre petrol anyone? No central heating this winter?"

So, basically you're saying that the 150 million lost to scams is a kind of hidden tax or something that we pay to the russians for lower oil prices. And that is acceptable. That they allow us access to their oil, and we allow them access to our non-IT-savvy citizens bank accounts?

Its an interesting proposal, and way of looking at it, but it seems a little unfair to me, especially if youre not IT literate.

anon - "Nice, punish 140000000 people because a few of them publish malware."

Well, that's the point. Its not just a few of them publiching malware. By all accounts it a whole system that is embracing it and protecting it. So we need to attack / protect against the whole system. I agree with what Pascal Monett said..

Pascal Monett - "I should hope that a truly working Russian police force would be tracking its users right now"

Yeah ok. So maybe my suggestions are a bit ill thought through, but my point is that if the Russian authorities are protecting these people, then it is a political situation inwhich we have to fight more than just the monkeys writing the code. So no I dont think its a case of just closing the Russian Business Network is more a case of closing the Extended Russian Business Network.

0
0
Coat

@ Jesus Puncher

Re your quote: "its kind of like the argument about muslims sitting by and saying that most of them are innocent and peaceful, instead of taking upon themselves to oust their disruptive element, seeing as they have the closest ties and best ability to do so. (or any other religion etc)"

I don't see the Christians sorting out Bush or Blair (who continues to spread dissent and verbal malware throughout the world.)

Until then, I think it's unfair to blame the majority of the world's largest landmass for a couple of dodgy businesses who spread porn and viruses. Let's face it, at least Yeltsin was more fun when drunk.

0
0
Alert

Only Acrobat 8.X and 7.X affected

We run Acrobat Pro 6.X here at work. I was starting to get pissed about no patch available for Acrobat 6.X then I finally managed to unearth this from Adobe's site:

"Adobe Reader 6.X and Acrobat 6.X are not vulnerable to this issue."

http://www.adobe.com/support/security/bulletins/apsb07-18.html

Good thing we haven't "upgraded"(?) to the latest Acrobat bloatware, eh?

0
0
Anonymous Coward

@Angela

OK. Bush and Blair are driven by greed not religious lunacy.

What has landmass got to do with it?

It is not "a couple of dodgy businesses". It is a whole network of business, politicians, police. Infact, more of a community. Read more about it. There are a ton of articles and references.

0
0
Anonymous Coward

@Vladimir Plouzhnikov

Yeah ok "Annex" is completely the wrong word. i agree. sorry. my bad.

Quote you - "BTW these viruses only work because of failings in the poorly written software such as Windows and Acrobat and those are not Russian."

Yep. And people succumb to anthrax because of failings in the poorly written DNA.

It no more acceptable or blameless to attack someone with Trojans and Phising attacks than it is with Anthrax or Biopreparat. And in all cases who ever is doing these attacks should be stopped. Or are you saying that Russian Business Network is blameless in this because they didnt write the Windows and Acrobat code??????

0
0
Flame

Soyuz nerushimy respublik svobodnykh etc...

You! Russky bashers! GTFO my Internets!

0
0
Anonymous Coward

@ Steve

According to "Dusting my brain" the IP address for RBN is:

81.95.147.107

0
0
Anonymous Coward

cut-off russia?

Funny that russia was threatened with denying their membership to the WTO over an MP3 selling site which was blocked by credit card companies etc. and yet here we have a known facilitator of criminal activity, and serious criminal activity at that, and nothing can be done?

Good to see where the responibilities lie.

0
0
Anonymous Coward

shutting down

Funny that a dubious MP3 site leads to threats to refuse Russia into the WTO and possible sanctions, but what everyone says is a network involved in criminal activity, and pretty nasty activity at that, draws no heavy handed response, or any response at all it seems.

This in a week when Interpol co-ordinate raids on private file sharers.

0
0

@A J Stiles (1st post) - no closed source?

Are you aware that many cars, trains, medical devices, etc contain closed source. You should demand a source printout before you use the next potentially harmful object having a microprocessor..

0
0
Alert

Re: how to deal with the ru55ians

First, Anonymous Coward: The IP you gave is only one of many.

Now, how to protect your network:

deny from 81.95.144.0/22

This will cover only the IP block discussed, however. You need to block all of AS41173, so include:

deny from 81.95.156.0/22

This should be done at the BGP level if at all possible. Otherwise, implement it at the highest level firewall under your control.

For more information, see http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7465

0
0

Not just Adobe

I worked for a security software company a few years back and did a bit of auditing. We found at least one hole in our PDF handling code - basically the format rather lends itself to that kind of error.

I wouldn't be surprised if open source PDF interpreters like Ghostscript have similar problems - they're convoluted by nature and not exactly the place people tend to go delve.

0
0
Stop

@Jesus Puncher

Re: "you're saying that the 150 million lost to scams is a kind of hidden tax..." Errr, no. I am saying if you slap the Russian bear because one of its fleas bit you, be prepared to get a face full of claws. It's better to tackle the flea itself. 150 million? pah! an hours lost production if the gas is cut off. Try persuading the politicians that that sacrifice is worth making (x 24 x 365 x n). One wonders who would be the ones "cut off" Let's see, tighten up ISP security, or a new cold war and global recession? Hard choice. (unfortunately the politicians take the third choice - "do nothing")

This is not a third world Afghaniraqistan we're talking about. The West is in no position to cut off their phones - and as I pointed out, the internet doesn't work on PSTN dial-up - the internet backbone lines are separate from the phone system. (Quote "annex (sic) russia from the *phone* system...") so I'm not sure what it would acheive.

Yes RBN is a problem that needs sorting, but get real!

0
0

This post has been deleted by a moderator

Silver badge

@Jesus Puncher

"It no more acceptable or blameless to attack someone with Trojans and Phising attacks than it is with Anthrax or Biopreparat. And in all cases who ever is doing these attacks should be stopped."

Yes, but your suggestion is equivalent to demanding imprisonment of all bioscientists in the world because one of them was suspected in making such anthrax attacks. You see, this ingenious approach to solving problems is why the US regime is being more and more detested by the rest of the world.

0
0
Gold badge

Cutting off your nose to spite your face

Even if one could isolate Russian IP addresses, the fact is that blocking Russian IP addresses will just stop you accidently viewing Russian web sites. For various reasons, the language barrier being just one, most of us don't do that very often.

Most of the email spam pumped out by these people is sent from botnets, many nodes of which are in your country (wherever you are) and possibly even your ISP. Email headers can be faked, and the only direct connection is the final hop from your ISP's mail servers to your own machine. You weren't thinking of blocking *them* were you?

No. I'm afraid that "dealing with the Ru55ians" is going to be harder than that.

0
0
Flame

Where is...

Ronnie Regan's law that was supposed to make the Soviet Union illegal - bombing will start in 5 minutes...

0
0
Boffin

!. @ JP @Angela 2. @ Ken 3. @all discussing vulnerability

1. Straying off into religion / faith. Bush, Blair may or may not be driven by 'greed' (a term that may require further refinement); however, this does not mean that they are not also driven by their faith. They have both publicly declared that they are so driven. In my personal opinion people of faith who also seek political power need to demonstrate the intrellectual horsepower to *separate* the two - not combine them, as these 2 dangerous people have done.

2. Ken, when Morley Dotes writes, e.g. 'deny from 81.95.144.0/22' you can take it to mean 'block all inbound traffic from that IP range', i.e. 'blocking Russian IP addresses' will stop everything including 'you accidently viewing Russian web sites'. Blocking outbound requests also helps ;-)

3. Agree with AJ S when he writes: "The statement "requires Acrobat Reader" which often accompanies PDFs on web sites is just flat-out untrue"; however AJS's open-source advocacy (proselytising) needs also to be taken with a pinch of ('show the evalaution report!') salt.

Morten Ranulf Clausen's 2 facts are apposite; my suggestion to address his invitation to 'discuss the infrastructure to handle it' is the classic security engineering approach: Layered Defence (aka Defence in Depth).

Defence at the application layer (buy applications with a proven behaviour {admittedly, not universally available}). Defence at the network interior layer: appropriate corporate security policies (expressed, understood, monitored, enforced) about acceptable use, principle of least privilege, host-based intrusion detection and alerting, locked-down host computer configurations, network-based intrusion detection, heuristic analysis, automated alert & response, anti virus. Defence at the corporate boundary: firewalls (stateful, deep packet inspection), AV, content and application proxies. Defence at the ISP / service provider layer (duplicating all approaches already listed). Use a 3rd party service provider for mail filtering (perhaps).

Downsides?

A.It all costs a bundle

B. Will take everybody (everybody!) *years* to implement it all; especially the

"applications with a proven behaviour" & "defence at the ISP / service provider layer" bits - I admit that.

In summary: in the meantime - good luck to you all and plenty of work for me for years to come.

0
0

RBN isn't the Russia

RBN isn't the Russia and crime has no nationality. I would suggest addressing this given 'gray' ISP, RBN, without using it as a synonym for Russia.

0
0
Boffin

My, my, there is a lot of confusion here...

Steve: The address of the Russian Business Network is http://www.rbnnetwork.com/ - but I strongly discourage you from trying to block that from your hosts file. Hint: ping it to see what IP address it resolves to. (Anybody else - if you don't know what that IP means, don't mess with it, because you're going to cut off your connection to the Internet.)

Costa Mihalidis: Word (and Excel, and PowerPoint) documents are dangerous to open even if they do *not* contain macros. There are many exploits in these applications that allow the execution of malicious code even from macro-less documents.

Oh, and everybody: This is *not* an Acrobat exploit! Acrobat's only fault is allowing automatic execution of embedded URLs (instead of you having to click on them manually). The vulnerability is in Internet Explorer 7 on Windows XP machines. Acrobat is just an attack vector. Adobe patching it closes this attack vector - but the very same vulnerability can be exploited from other applications - Firefox (already patched), Skype (already patched), mIRC, Miranda, etc., etc. We're still waiting for Microsoft to patch the root of the problem. :-(

Anonymous Coward & Chris Ovenden: Foxit is vulnerable to this exploit too! The only difference is that Acrobat runs it automatically, while with Foxit you have to be tricked to click on an URL in the document.

Pascal Monett: The RBN does not break any Russian laws, so the Russian police cannot do anything about it. Only its *customers* break laws - and the police does what it can. While what the RBN does is certainly unethical, prosecuting them is no different than prosecuting the phone company for allowing some of its (probably criminal) customers to use encrypted mobile phone communications.

A J Stiles: Open source software for PDF viewing won't save you from this exploit, if you have IE7 installed on a WinXP machine.

Glenn Gilbert: This exploit is in IE7/WinXP - that's why there is no Acrobat update for Linux and Mac. The exploit doesn't work there.

0
0
This topic is closed for new posts.