Have I suffered a PDF exploit?
March 24, 2009 11:14 AM   Subscribe

I tried to visit the web site of a local business, and a PDF was automatically and unexpectedly downloaded. What was it trying to do, and how can I know whether I avoided the exploit?

The web site was orangecab dot net, and its hompeage contains an extraneous seeming iframe for namebrandmart dot cn, with filename in.cgi?income18. Following that with wget as follows (replacing "." with " dot " as necessary)
$ wget http://namebrandmart dot cn/in.cgi?income18
--11:06:12--  http://namebrandmart dot cn/in.cgi?income18
Resolving namebrandmart dot cn...
Connecting to namebrandmart dot cn||:80... connected.
HTTP request sent, awaiting response... 302 Found
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Location: http://freewebhostguide dot com/index.php [following]
That file, in turn, contains an iframe for cache/readme.pdf. That caused Acrobat Reader to stall, but I tried to kill it as quickly as possible. Using Acrobat Reader 8.1.1/WinXPSP2.

What to do now?
posted by grouse to Technology (14 answers total) 4 users marked this as a favorite
Response by poster: There is a big chunk of JavaScript in that PDF but it is obfuscated.
posted by grouse at 11:25 AM on March 24, 2009

There are some viruses that use a javascript exploit in Adobe Acrobat.
posted by electroboy at 12:02 PM on March 24, 2009

What was it trying to do, and how can I know whether I avoided the exploit?

There are PDF exploits in the wild, one of which you probably encountered. You can try to apply a registry fix for the PDF issue and close a hole for the Conficker worm as well as try to run the usual battery of AV and malware detection tools.

The only way to really be sure with Windows is to reformat the hard drive and install the OS from scratch, and then never connect it to the net or exchange files with it. But you can patch and scan, and cross your fingers.
posted by Blazecock Pileon at 12:28 PM on March 24, 2009 [1 favorite]

Yep, it's an Acrobat Reader exploit; see the partially deobfuscated source code here. Looks like it targets two different vulnerabilities (1, 2) affecting versions of Acrobat Reader through 8.1.2. I have no idea what payload it was trying to run, or if it succeeded, but if I were you I'd assume the worst.
posted by teraflop at 12:37 PM on March 24, 2009

I had something similar happen some time ago (a couple of months, maybe?) and after Acrobat Reader crashed, my anti-virus software started reporting several write attempts being blocked. There was also an extra task running that seemed to be trying to send out spam, and kept re-appearing any time I shut it down.

So consider this an attempt to compromise your computer and try to determine if it was successful or not. At the very least scan it with several reputable anti-malware tools, and be alert for suspicious behavior. Some malware is really good at hiding itself and making itself difficult to remove, so the reformat and reinstall approach is the safest one for sure.

I think I was able to clean up my computer after this incident, but it'll be a good long time before I stop being suspicious of it.
posted by FishBike at 12:44 PM on March 24, 2009

I think the first thing I would probably do is alert the website owner/admin that their page has malicious code.
posted by jmnugent at 12:59 PM on March 24, 2009

Also I believe there's an update to Adobe Reader which fixes this.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 1:27 PM on March 24, 2009

Also I believe there's an update to Adobe Reader which fixes this.

Indeed, and I knew that before my incident with it being exploited. You can imagine how much I regret procrastinating about installing that update!

There is also an update to the update, which came out a week or so ago, to fix another similarly exploitable flaw in Adobe Reader.
posted by FishBike at 3:07 PM on March 24, 2009

Adobe Reader is (a) the market leader in PDF readers, which makes it a prime target for malicious exploiters and (b) a big honking chunk of bloat. Try Foxit Reader 2.3 build 3902 instead. Also, now would be a good time to start thinking about the benefits of limited user accounts.
posted by flabdablet's sock puppet at 7:32 PM on March 24, 2009

Response by poster: Thanks guys for all your help. I do use a limited user account. I used to use Foxit, but Acrobat 8 seemed to add a little nimbleness to it.

Anyone want to suggest some tools I should run? I run Avast already. It didn't find anything in the PDF so presumably it doesn't know about this malware.
posted by grouse at 9:23 PM on March 24, 2009

Tools? Malwarebytes Anti-Malware, definitely.

Also, use NoScript in Firefox, as well as Adblock or Adblock Plus and optionally FlashGot.
posted by dhartung at 1:21 AM on March 25, 2009

Response by poster: Now Avast is calling it Exploit.JS.Pdfka-DC.
posted by grouse at 4:46 AM on March 25, 2009

If you're using a limited account, you're golden. If you're worried that your account profile might now have something nasty hiding in it, all you have to do to set your mind at rest is

1) log on to your admin account
2) rename your limited account's profile (e.g. "C:\Documents and Settings\grouse" -> "C:\Documents and Settings\grouse-renamed"
3) log off admin, log on to your limited account - Windows will create a new profile for it
4) move any files that you want from grouse-renamed to corresponding spots in grouse
5) when you're sure there's nothing left in grouse-renamed that you still want, delete it

But the most likely outcome is that whatever this exploit was trying to do will need admin rights to get it done, and that not having granted them, you're fine.
posted by flabdablet's sock puppet at 6:52 PM on March 25, 2009

I forgot the second half of my pointless comment. I got hit by the nrfa.exe google redirect virus. It redirects all the google search results to a handful of scam websites. Removal involved deleting it from the registry and the windows system folder, but overall it wasn't too tough. Most sites with detailed removal instructions recommended disabling javascript in Adobe Reader and installing NoScript, which has worked so far.
posted by electroboy at 7:26 AM on March 26, 2009

« Older Need help with tabbed search form   |   The propaganda machine or my imagination? Newer »
This thread is closed to new comments.