In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!
Here's the e-mail we saw (the mail was forged to look like it came from gwu.edu):
From: david████@gwu.edu Date: Wed, 20 Jan 2010 09:26:24 To: (email addresses of the targets) Subject: Chinese cyberattack
Colleagues,
Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack. I hope you find it interesting.
If you have any good idea / comments, are warmly welcome to feedback.
Best,
David Attachment: Chinese cyberattack.pdf
The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).
The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435). We detect this as W32/PoisonIvy.NQ. The PDF is detected as Trojan.Script.256073.