Hi, F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were e-mailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009,
The PDF file was quite convincing and it looked like it came from the Department of Defense: [image: pdf] *PDF file md5 hash: c144581973fe16a6adca09e0d630bf63* The document talks about a real conference to be held in Las Vegas in March. When opened to Adobe Reader, the file exploited the CVE-2009-4324 vulnerability. This is the *doc.media.newPlayer* vulnerability that Adobe patched last Tuesday. The exploit dropped a file called *Updater.exe* (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address *140.136.148.42*. In order to avoid detection, it bypasses the local web proxy when doing this connection. Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
