Last week I had written a blog (see “Disguised PDF attack possible”) about possible attack using simple technique in Adobe Reader. It is being observed now that malware writers of Zeus malware are using the “/launch” command line parameter in Adobe Reader to launch a malicious code without exploiting an vulnerability in the software.
The malicious PDF that is spreading through email has a executable embedded with it which is compressed. Just as email messages can have attachments, PDF files too can have attachments which can be launched or opened based on particular action. This new malware PDF that is spreading has an executable attachment. When unsuspected user opens the PDF file in Adobe Reader a dialog box will appear asking the user to “Specify a file to extract to”. With this message coming first time from Adobe Reader many users may get confuse and select to save the file. This automatically executes the embedded malware file and installs the Zeus bot.
As guided in previous blog on the same topic below I again recommend users to un-check the setting of “Allow opening of non-PDF file attachments with external applications” in the programs’ preferences pane. This way one can prevent automatic execution of the malware.