Mal/Dotter-A

One of the most prominent email scams of the last quarter of 2011 involves authentic-looking scam emails that disseminate malware designed to exploit security vulnerabilities in Adobe reader and other products from Adobe System. According to ESG security researchers, the authors of this campaign of email scams are still taking advantage of a security vulnerability within some of Adobe's products and spreading their exploiting malware with the use of malicious email. This email will usually contain an embedded link or attached file, which can then execute a code on a remote server in order to cause the victim's computer to become infected with malware. The actual scam email associated with the Mal/Dotter-A scam is disguised as a financial report from Barclay's, a well-known bank with its headquarters in New York City.

Details of the Mal/Dotter-A Email Scam

The spam email associated with Mal/Dotter-A is very convincing and includes an attached file which claims to contain a weekly newsletter from other high-level financial firms. Unlike many spam email campaigns, the email associated with the Mal/Dotter-A email scam is actually well written and includes several characteristics that may fool more experienced computer users. The included file is named 'Barclays Capital Financial Sponsors Weekly Newsletter.pdf' which takes advantage of the CVE-2011-2462 vulnerability in Adobe Reader 9. This scam is part of a series of similar scam emails claiming to have been sent by other well-known financial institutions such as Barclay's Capital. Computer users unaware of this security vulnerability in Adobe's product may believe that the PDF extension on the attached file makes it harmless. However, opening the attached file with Adobe Reader 9 creates tree files; an executable named dump and two other files named AcrA2CA.tmp and d3d8caps.dat. The executable file is the actual malware dropper which, to download and install malware onto the victim's computer, connects to a remote server. This malware downloader has been identified by security analysts as Mal/Dotter-A. Typically, this malwware infection is used to install a remote access Trojan onto the victim's computer, typically an iteration of the Zeus Trojan. Using this malware infection, criminals can take control of the victim's computer and integrate it into an existing botnet. Adobe Systems has reported that they are working on a patch in order to fix this security vulnerability in Adobe Reader. However, as long as this patch is not released, malware analysts can expect a continuous stream of new email scam campaigns distributing malicious PDF files.