Nobel Peace Prize invitation hides PDF Trojan

Spoofed email builds on interest in Chinese dissident to deliver Trojan

If you receive an email inviting you to Oslo to see the Chinese dissident Liu Xiaobo receive his Nobel Peace Prize in December, don't open the PDF attachment.

Mikko Hyppönen, chief research officer at Helsinki-based antivirus vendor F-Secure Corp., said the attachment contains a PDF Trojan that targets an Adobe Reader vulnerability.

Hyppönen said the spoofed message purports to come from the Oslo Freedom Forum and contains a very convincing invitation. Security researchers have not yet determined who sent the attack or who the intended target, or targets, might be.

If the file invitation.pdf is opened, it uses an exploit (Exploit.PDF-TTF.Gen) to crash Adobe Reader, Hyppönen wrote in a F-Secure blog entry. It then drops a backdoor (Trojan.Generic.4974556) to the system, which attempts to contact a command-and-control server to download additional malware and instructions.

Adobe Systems Inc. has been the favourite target of attackers who use PDF Trojan attachments in email as well as drive-by attack websites to target zero-day vulnerabilities and users who haven't fully patched their software. In addition, attackers are increasingly targeting Adobe Flash, a browser component.

Liu Xiaobo will not be in Oslo to receive the Nobel Peace Prize as he is serving an 11-year jail sentence in China for his activities in campaigning for human rights in China. His lawyer was also prevented from leaving China because, it is believed, the Chinese authorities feared he would be collecting the prize on his client's behalf.

The latest email attack builds on growing interest in his case, and follows an incident two weeks ago, when the Nobel Peace Prize website was hacked with a zero-day attack against Firefox.

Read more on Hackers and cybercrime prevention