F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were emailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week.
The PDF file was quite convincing and it looked like it came from the Department of Defense:
The document talks about a real conference to be held in Las Vegas in March.
When opened to Adobe Reader, the file exploited the CVE-2009-4324 vulnerability. This is the doc.media.newPlayer vulnerability that Adobe patched last Tuesday.
The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address 126.96.36.199. In order to avoid detection, it bypasses the local web proxy when doing this connection.
Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan.
While this attack is interesting at the detailed level, it shouldn't be much of a surprise that targeted attacks would be conducted against military contractors.
China’s cyberspies aren’t the only ones prowling Internet
“The consensus discussion is that everybody is busy spying on everybody else,” says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank. “These countries are doing it to us, but we’re also doing it to them.”