F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were e-mailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week.
The PDF file was quite convincing and it looked like it came from the Department of Defense:
PDF file md5 hash: c144581973fe16a6adca09e0d630bf63
The document talks about a real conference to be held in Las Vegas in March.
When opened to Adobe Reader, the file exploited the CVE-2009-4324 vulnerability. This is the doc.media.newPlayer vulnerability that Adobe patched last Tuesday.
The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address 126.96.36.199. In order to avoid detection, it bypasses the local web proxy when doing this connection.
Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan.