Recent Events for foo.be MainPageDiary (Blog)

PDFAnalysis

Introduction

8 June 2010 : If you received a resume in PDF format with my name, please be aware that a spammer/criminal modified the PDF to include an infective payload (in other words, a virus) and the spammer sent it to a bunch of people. I have nothing to do with that as those criminals took random PDF on Internet and modified/sent them randomly.

I made a technical summary of the information collected and what's inside the attacker version.

Technical Information

The exploit inside is relying on the "/Launch" discovered by Didier Stevens (http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html). The malware inside is a variation of the Alureon trojan (a name resolution hijacker including a backdoor and keylogger).