We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535).

It looks like this:

Nice flowers.

Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.

This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.

We've seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.

Today, both of those host names resolve to 202.150.213.12, which is not in China. It's in Singapore.

On 08/02/10 At 02:54 PM