Adobe Acrobat exploit hijacks Google search results
I had the displeasure of dealing with a virus-infected Windows XP machine over the weekend. This virus was a browser hijacker, but it functioned for all web browsers (Firefox, IE and Chrome were used to test this theory) and essentially intercepted and re-wrote Google results to point to spammy sites which seemed to only exist to earn ad revenue. The interesting thing is the infection vector – this hijack managed to infiltrate the system through Acrobat Reader and a known security hole which has yet to be patched (as far as I am aware, anyway).
Essentially the user had opened a few links from a results page on Google. One of those pages redirected to a PDF which, due to the configuration of the machine, auto-loaded within the browser. A piece of malicious JavaScript embedded in the PDF was executed by Acrobat and from there, the hijacker was well and truly in place.
There seem to be a few variants of this virus lurking about, but a fair few seem to have a tell-tale sign of the IP address ‘7.7.7.0‘ popping up in the status bar of the browser while it redirects you to a spam site. Not all of them have this, and other unknown IP addresses could well pop up. The variant which had infected the machine I was dealing with had a trick of making most requests to anti-malware sites fail. Out of the top 10 results for ‘antivirus’ on Google, only 1 of those actually loaded the intended page – the rest did not redirect to spam sites, instead they merely timed out and were impossible to reach (www.prevx.com was the URL I used as an acid test).
Ultimately, this virus seems to be innocuous in the respect that I haven’t seen mention of it accessing personal data or otherwise messing around with your system. In particular, I was surprised to find that it only planted its own files in the system and didn’t try to infect every crucial system process like some viruses do. Even more surprising is how easy it was to get rid of!
First things first though: this virus does make any attempt to start cmd.exe or regedit.exe fail miserably. The processes simply crash, usually taking explorer.exe with them. You will need to access your registry in order to rid yourself of this virus so you will need to run regedit. To do this, navigate to your Windows folder (usually C:\Windows) and find regedit.exe. Copy this file and name it anything you like, but keep the .exe extension. Now, run the file you just renamed and you will find that regedit loads without crashing.
Now you need to navigate to this location: HKLM\software\microsoft\windows nt\currentversion\drivers32. Once there, you will see a list of keys in the right hand side. Look for ones called ‘aux’ or a variation on that (’aux2′ etc). Now, this is where it gets tricky. You will see that for the ‘aux’ key (or for all ‘aux*’ keys) there is a value with a filename given. Chances are this file is legitimate, as the virus likes to hide itself with a similar placement and naming of its code file.
I have seen many different values for this key which point to legitimate system files, as well as many pointing to this virus. The problem is finding out which is which, but this post about the virus goes into some detail about which filenames are normal and which are not. When you find out which one is the naughty file, you can use a tool like HijackThis to delete it upon reboot – since it is in use, you most likely will be unable to delete it while Windows is loaded. Once I located the bad file and set it to delete on reboot with HijackThis, the problems disappeared. Just to make sure, I went into the registry again and deleted the reference to the file, which could have been done before the reboot.
The interesting point about this virus is how it infiltrates through a malicious PDF file, something a lot of people will see as no risk to their security. Once there, it affects their search results on Google and Yahoo, presenting itself as a noticable nuisance whilst also prohibiting access to any sites hosting software which could result in its removal. This seems a bit weird, as I noticed that BitDefender, Malware Bytes and Spybot all skipped over the virus without utttering a single warning to me, and a rootkit scan with UnHackMe highlighted a possible issue. For those who don’t know, a rootkit is essentially something which interferes with the system to hide its own presence – very useful for a virus, don’t you think?
I hope we don’t see this kind of virus popping up more and more. Adobe seem to have known about the security hole for a year or two, and only made their knowledge official in February 2009. Security experts recommend disabling autoloading of PDF documents in your browser along with disabling JavaScript execution in Acrobat Reader’s own settings.
Anyway, I hope this helps some people out so I have put a couple of link below to informative articles which helped me to get rid of the pesky thing:
Fake sysaudio.sys causes Searchengine Hijack – particularly useful for the list of files which are candidates for infection
Browser Redirect to 7.7.7.0 – interesting
HijackThis – good for diagnosing problems and for removing files on the next bootup
UnHackMe – useful for scanning for rootkits and other malware
Geoff Adams
Programmer, Research and Development
