PDF Trojan attacks begin, new patches for Adobe Reader and Acrobat available.

While tools such as Internet Explorer have long been a haven for aspiring virus writers, it seems they’ve been turning their attentions to other commonly used formats and tools with first RealPlayer and now Adobe’s PDF the target of Trojan attacks.

The PDF vulnerability was first discovered in September when videos emerged of a PDF file launched in Adobe Acrobat Reader also launching Notepad and Windows Calculator.

The video on YouTube can be viewed here.

The attack process appears to be very similar to the RealPlayer issue we reported on recently whereby the first Trojan attacks Windows Firewall and switches it off, allowing other more serious Trojans to be more easily downloaded to the system.

While Adobe released a workaround for the problem some weeks ago, the vulnerability was only patched this Monday.

Symantec calls the Trojan “Trojan.Pidief.A” but at moment, considers it a “very low” risk virus. According to Symantec, it turns off Windows Firewall and then downloads another Trojan from the Internet address: 81.95.146.30. The file (ldr.exe) is saved into the current working folder and executed.

However, that threat level will likely rise after a Symantec blog site said that the company has already seen a number of emails spamming around with the trojan attached and thought to have been targeted at certain business organisations.

The site says the Trojan will likely arrive in an email with the subject heading “invoice”, “bill” or “statement” and PDF files attached with names such as “INVOICE.pdf”, “YOUR_BILL.pdf”,”BILL.pdf’ and “STATEMET.pdf” (sic).

Symantec has updated its virus definitions and users with revision 008 dated October 23, 2007 or later are protected from the attack.

Adobe has released the patch on its website and says that it affects Adobe Acrobat Reader 8.1 and older, Reader 7.0.9 and older on Windows XP and Windows 2003 systems with Internet Explorer 7 installed. The company says that Windows Vista users are not affected.

Microsoft has also released a security advisory note on its Technet website outlining the issues with Windows XP/2003 and Internet Explorer 7 although at this stage, has not released any patches. The company said it is investigating the reports and upon completion of its investigations “Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

Both Symantec and Adobe recommend Acrobat Reader and Acrobat users update their software with the latest patch as soon as possible to remove the risk of attack from these Trojan PDFs.