It’s hard to deny -- hackers love Adobe. Adobe has over the last several years claimed many of the top security vulnerabilities due to its rich format which gives hackers many easy routes to take over computers. This last month has been another rough one from Adobe by the looks of it -- and not just because of its recent layoffs.
EWEEK, a leading computer and security news site, became the latest victim of an Adobe exploit earlier this month. Other sites owned by Ziff Davis, which owns eWeek, were also affected. The Ziff Davis sites hosted an ad, which while looking legitimate redirected users through a series of iFrames to a pornographic website. And that wasn't the end of the shenanigans, either. The site then tried to download an Adobe PDF containing a known exploit, 'bloodhound.exploit.213.'
A patch had been previously released for the exploit, which affects Adobe Acrobat and Reader versions 8.12 and earlier, but many users still have yet to receive it. Once the exploit gains access to the system, it installs a file named "winratit.exe" in the user's temporary files folder and two other files, according to security researchers at Websense.
The files are activated when users are browsing the internet and they try to get users to buy fake antivirus software by redirecting them to phony sites. Describes Websense, "The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/, which has been set up to collect payment details."
Currently only Symantec, BitDefender, GData, nProtect, Secure-Web Gateway and AntiVir detect the exploit. While little comfort to visitors of Ziff Davis pages, who might now be infected, eWeek and Ziff Davis announced, "The exploit in question did not compromise eWEEK.com or any Ziff Davis Enterprise Web sites."
The offending ads have been removed from the system.
The attack works on Windows XP SP3 computers and likely works on OS X computers as well. It is unknown if it works in Windows Vista. Shadowserver writes that the attacks may just be starting to heat up for the exploit, stating, "Right now we believe these files are only being used in a smaller set of targeted attacks. However, these types of attacks are frequently the most damaging, and it is only a matter of time before this exploit ends up in every exploit pack on the Internet."