Security researchers are issuing their annual warning regarding an ongoing targeted email attack using a FIFA World Cup-themed lure. The intention of this one is to trick users into opening a malicious PDF file. The PDF file targets a code execution vulnerability in Adobe Reader that was patched in February (CVE-2010-0188).
The FIFA World Cup is the most important football (soccer of Americans) competition and arguably the most watched regular sport event in the world. The 19th edition of the event will kick off on June 11, 2010 in South Africa. The current attack misuses the name and intellectual property of a renowned African safari organizer called Greenlife Africa. Greenlife produces an informative and useful PDF guide to the World Cup. The attackers have downloaded Greenlife’s PDF, and changed it to include malicious code, explains Symantec. They also point out that a worker from “a major international organisation that brings together governments from all over the world,” was among the targets of this email attack. The wording in the email suggests that attackers intended to trick consulates and tourism authorities into distributing the PDF file through official channels to the general public.
Successful exploitation by this PDF will result in several encrypted executable files being dropped and executed on the system. This threat also features a rootkit component, installing itself as a service called “Remote Access Connection Locator.” This malware agent might also be capable of self-propagation on local networks. Symantec warns that detection rates are currently very low. Users of Adobe Reader and Acrobat older than 9.3.1 or 8.2.1 are urged to upgrade immediately to the latest version.