Have I suffered a PDF exploit?
March 24, 2009 11:14 AM   Subscribe

$ wget http://namebrandmart dot cn/in.cgi?income18
--11:06:12--  http://namebrandmart dot cn/in.cgi?income18
Resolving namebrandmart dot cn... 94.247.3.150
Connecting to namebrandmart dot cn|94.247.3.150|:80... connected.
HTTP request sent, awaiting response... 302 Found
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Location: http://freewebhostguide dot com/index.php [following]

There are some viruses that use a javascript exploit in Adobe Acrobat.
posted by electroboy at 12:02 PM on March 24

What was it trying to do, and how can I know whether I avoided the exploit?

There are PDF exploits in the wild, one of which you probably encountered. You can try to apply a registry fix for the PDF issue and close a hole for the Conficker worm as well as try to run the usual battery of AV and malware detection tools.

The only way to really be sure with Windows is to reformat the hard drive and install the OS from scratch, and then never connect it to the net or exchange files with it. But you can patch and scan, and cross your fingers.
posted by Blazecock Pileon at 12:28 PM on March 24 [1 favorite]

Yep, it's an Acrobat Reader exploit; see the partially deobfuscated source code here. Looks like it targets two different vulnerabilities (1, 2) affecting versions of Acrobat Reader through 8.1.2. I have no idea what payload it was trying to run, or if it succeeded, but if I were you I'd assume the worst.
posted by teraflop at 12:37 PM on March 24

I had something similar happen some time ago (a couple of months, maybe?) and after Acrobat Reader crashed, my anti-virus software started reporting several write attempts being blocked. There was also an extra task running that seemed to be trying to send out spam, and kept re-appearing any time I shut it down.

So consider this an attempt to compromise your computer and try to determine if it was successful or not. At the very least scan it with several reputable anti-malware tools, and be alert for suspicious behavior. Some malware is really good at hiding itself and making itself difficult to remove, so the reformat and reinstall approach is the safest one for sure.

I think I was able to clean up my computer after this incident, but it'll be a good long time before I stop being suspicious of it.
posted by FishBike at 12:44 PM on March 24

I think the first thing I would probably do is alert the website owner/admin that their page has malicious code.
posted by jmnugent at 12:59 PM on March 24

Also I believe there's an update to Adobe Reader which fixes this.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 1:27 PM on March 24

Also I believe there's an update to Adobe Reader which fixes this.

Indeed, and I knew that before my incident with it being exploited. You can imagine how much I regret procrastinating about installing that update!

There is also an update to the update, which came out a week or so ago, to fix another similarly exploitable flaw in Adobe Reader.
posted by FishBike at 3:07 PM on March 24

Adobe Reader is (a) the market leader in PDF readers, which makes it a prime target for malicious exploiters and (b) a big honking chunk of bloat. Try Foxit Reader 2.3 build 3902 instead. Also, now would be a good time to start thinking about the benefits of limited user accounts.
posted by flabdablet's sock puppet at 7:32 PM on March 24

Tools? Malwarebytes Anti-Malware, definitely.

Also, use NoScript in Firefox, as well as Adblock or Adblock Plus and optionally FlashGot.
posted by dhartung at 1:21 AM on March 25

If you're using a limited account, you're golden. If you're worried that your account profile might now have something nasty hiding in it, all you have to do to set your mind at rest is

1) log on to your admin account
2) rename your limited account's profile (e.g. "C:\Documents and Settings\grouse" -> "C:\Documents and Settings\grouse-renamed"
3) log off admin, log on to your limited account - Windows will create a new profile for it
4) move any files that you want from grouse-renamed to corresponding spots in grouse
5) when you're sure there's nothing left in grouse-renamed that you still want, delete it

But the most likely outcome is that whatever this exploit was trying to do will need admin rights to get it done, and that not having granted them, you're fine.
posted by flabdablet's sock puppet at 6:52 PM on March 25

I forgot the second half of my pointless comment. I got hit by the nrfa.exe google redirect virus. It redirects all the google search results to a handful of scam websites. Removal involved deleting it from the registry and the windows system folder, but overall it wasn't too tough. Most sites with detailed removal instructions recommended disabling javascript in Adobe Reader and installing NoScript, which has worked so far.
posted by electroboy at 7:26 AM on March 26

« Older CSS/Javascript Filter: How do ...   |   Am I imagining things or has t... Newer »