G DATA Software AG: Antivirus, Virenschutz, Virenscanner, Internet Security

"Currently we are only finding these PDF-based attacks on red light websites. However bearing in mind their success, we expect, in the near future, to see other sites using corresponding PDFs as malware carriers," speculates Ralf Benmüller, Manager of G Data Security Labs.

The malware which is downloaded during the attack is also identified by G Data as Packer.Malware.NSAnti.h (EngineA) or "Win32:Agent-ACFU [Trj]" (EngineB) and blocked accordingly (as long as the HTTP scan is not switched off).

The websites of the domains contain inline frames, which point to a harmful PDF document on a Chinese malware distribution server that is automatically loaded in the standard configuration of common browsers with the Acrobat plug-in, as soon as the visitor calls up the page.

The antivirus products of G Data identify the PDF file as "JS:Pdfka-FS". Hence, as long as the monitor is switched on, G Data customers are automatically protected against an infection.

As with other malware programs that exploit the weak points in the PDF format, the document hides its harmful functions through its compression function.

The unpacked object contains a JavaScript, that initially carries out a so-called heap-spray, under which the main memory of the application is filled with the attack code that is to be executed. Finally the script exploits a buffer overflow in the Collab.getIcon() function, in order to execute the prepared harmful code. (see CVE-2009-0927).

During the last few months, the PDF format has been enjoying increasing popularity amongst online criminals as an infection vector for client computers due to the several weak points in the well-distributed Adobe Reader. The current attack impressively demonstrates the attempts by attackers, to attract web surfers using supposed pornographic content and then to spread their malware through the exploitation of one of these weak points.