New wave of 'PDF malware' seen

A new wave of malware masquerading as portable document format (PDF) files is now making the rounds of cyberspace, a computer security firm warned over the weekend. Sunbelt/GFI Labs noted an uptick of the PDF attack, this time posing as a message from the United States Postal Service (USPS). In a blog post, Sunbelt/GFI said the email claims the package was not delivered, and asks the email recipient to open the PDF file and print out the attached label it supposedly contains. But once downloaded onto a system, GFI Labs said the malware will undertake the following actions:

• When executed, it connects to the IP address, 91.221.98.29, and downloads a file named step.exe - which is a variant of FakeSysDef, a rogue malware.
• It checks on the following websites, all of which are from Russia:
  • followmego12.ru
  • hidemyfass87111.ru
  • losokorot7621.ru
  • mamtumbochka766.ru

"Doing site checks could mean a lot of potential actions this malware might do, like downloading other binaries/components onto the infected system, updating a copy of itself, posting information to these sites, or waiting for commands from its controller. As of this writing, the file does not download other binaries or additional component files," it said. Sunbelt/GFI Labs detects this malware as Trojan.Win32.Generic!BT. It advised recipients to steer clear of these kinds of emails, especially if they never made transactions with such companies. "When in doubt, double check with the supposed sender by calling their office for confirmation, but do not reply to the sender's email address," it said. "With Black Friday and Cyber Monday (not to mention Cyber Weekend and the holiday season) just around the corner and majority of the people everywhere are shopping online, it is wise to expect such attacks to multiply further in the coming days and weeks. Such an attack is not new; however, many are still falling for it. It's time to wise up," it added. — TJD, GMA News