Adobe Reader Exploit Drops Trojan.Zonebac

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:


For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named “bak” at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.
Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.
This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.
It looks like I may have to move up my implementation of Adobe Reader 8.2.1
Brian Krebs’ writeup on this reports that according to iDefense this was spreading through banner ads.