Friday, June 26, 2009 ads are spreading PDF exploits too!

On Monday I posted about a PDF trojan downloaded from an ad server.

Tonight I saw another one, this time from

Like last time, I took a look:

% ls -l 710.pdf
-rw-r--r-- 1 uid gid 14720 2009-06-26 02:44 710.pdf
% file 710.pdf
710.pdf: PDF document, version 1.1
% cksum 710.pdf
279936831 14720 710.pdf
% strings -a 710.pdf | less
var bd = "10%32%118%97%114%32%86%121%103%76%78%100%106%32%61%32%110%101%119...etc.
It looks very much like the last one (which I deleted), even being the same size. The var bd stuff is the payload, which is a (Javascript?) text string containing what appear to be the encoded binary exploit code.

Firefox history contained two URLs, with path components of /kn/in.php and /kn/pdf.php, both from the same server.

> host has address has address has address

> host domain name pointer
> host domain name pointer
> host domain name pointer

Look familiar? It should, it's the same outfit as last time!

Wikipedia's entry for say it "has major corporate backing" and names AOL/Time Warner. As I cited from Another virus infection, courtesy of Yahoo News in the prior post:
Major web sites like and are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers.
The scope and breadth of this is startling, and it's been going on for months!

What gives? Why aren't people up in arms? If the Internet trade press has covered this, please let me know; I haven't seen anything. Is scandalous news being covered up?

Update: I moved the 710.pdf file to a Windows machine and scanned it with both Trend Micro HouseCall and AVG Free and neither one found a thing.

Update 2: See Steps To Prevent Gumblar / Martuz / Nine-Ball for things you can do to stay safe.

No comments:

Post a Comment