Several security companies today warned of a major malware campaign that tries to dupe users into opening rigged PDFs that exploit an unpatched design flaw in the PDF format.
Users who open the attack PDFs are infected with a variant of a Windows worm known as “Auraax” or “Emold,” researchers said.
The malicious messages masquerade as mail from company system administrators and come with the subject heading of “setting for your mailbox are changed,” said Mary Grace Gabriel, a research engineer in CA Inc.’s security group. A PDF attachment purportedly contains instructions on how to reset e-mail settings. “SMTP and POP3 servers for … mailbox are changed. Please carefully read the attached instructions before updating settings,” the message states.
In reality, the PDFs contain embedded malware and use the format’s /Launch function to execute that malware on Windows PCs running the newest versions of Adobe Systems Inc.’s Acrobat application or its free Adobe Reader, as well as other PDF viewers, such as Foxit Reader.