Adobe Reader Exploit Drops Trojan.Zonebac

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named "bak" at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.

Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.

This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.

It looks like I may have to move up my implementation of Adobe Reader 8.2.1

Brian Krebs' writeup on this reports that according to iDefense this was spreading through banner ads. http://blog.washingtonpost.com/securityfix/2008/02/hackers_exploiting_adobe_reade.html