Sophisticated techniques used to thwart AV detectionSecurity researchers have encountered a malicious PDF exploiting an unfixed vulnerability in Adobe Reader and Acrobat, which makes use of complex techniques in order to avoid detection. The document is believed to be part of a highly targeted attack.
The malicious file has been analyzed by Bojan Zdrnja, a security researcher with the Internet Storm Center, who notes that "Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics."
The purpose of this attack is to drop and execute two binary files on the system. The first, called SUCHOST.EXE, is a backdoor client, which can be used to control the infected computer. The second, temp.exe, does nothing more than to drop an open additional and benign PDF file called baby.pdf. This is to distract the user from the Adobe Reader crash caused by the exploit in the original PDF document.
This was most likely devised to attack a single individual or company and the fact that it was sent around the holidays when many files make their way into people's email inboxes made it even less suspicious. "If we are to judge the new year by sophistication the attackers started using, it does not look too good," the SANS researcher concludes.