Scary PDFs and Serious Word of Warning

F-Secure’s Research Lab recently disclosed a sample PDF with a nasty payload. Here is an excerpt of their clear and concise summary:

” When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files.

Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf.

Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user into thinking that everything is all right.

D50E.tmp.exe is a backdoor that creates lots of new files with innocent sounding filenames, including:

windowssystem32avifil16.dll
windowssystem32avifil64.dll
windowssystem32driverspcictrl.sys
windowssystem32driversNullbak.dat
windowssystem32driversBeepbak.dat

The SYS component is a rootkit that attempts to hide all this activity on the infected machine.

nbsstt.3322.orgThe backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine.”


Allow me to offer a word of warning to those of us in the trenches of IT. It is very easy to become complacent about the presence of outdated versions of applications within our networks. We are inundated with version numbers and constant updates and it is easy to lose our vigilance and entertain the notion of “it won’t happen to us.”

I dare you to answer 4 Questions.
Who did this PDF appear to come from?
Would your normal user have opened this PDF?
Did it exploit an unknown or known vulnerability?
Is your version of Foxit or Adobe Reader the latest patched version?

I know patching reader is a headache and time consuming grunt work but…. Consider all the time that you have invested with firewall rules, antivirus, antispyware, usage policies, user permissions, etc… All circumvented by an unpatched PDF reader.

Leave a Reply