The official website of celebrity socialite Paris Hilton, parishilton.com, was compromised and, like so many other compromised websites today, the site was outfitted with a hidden iframe. That iframe pointed to malware hosted on you69tube.com, a porn video site. Those who visited parishilton.com during the time of compromise would have been subject to an array (no pun intended) of exploit code, including the highly publicized Adobe Reader printf vulnerabilty. That vulnerability impacts Adobe Reader versions 8.1.2 and below. (Adobe Reader 9.0, released in July 2008, is not susceptible to the flaw).

Successful exploit led to the installation of a downloader trojan which in turn led to the installation of a remotely customizable data theft trojan. That malware includes the ability to intercept and tamper with http and network traffic, as well as the ability to self-update and to download additional malware.

The method the attackers used to deliver the PDF printf exploit was particularly interesting. As Core Security, noted when they published details of the Adobe Reader Printf buffer overflow vulnerability, "successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file". Obviously requiring the user to open a file poses some additional challenge for attackers.

If the attackers pass the PDF as a straight URL, visitors would receive a prompt to open the PDF without any accompanying explanation as to why and thus have no incentive to comply. Another method would be to pass the PDF as an embedded object within the iframe. But while the printf exploit only works on older versions of Adobe Reader, some older versions of Adobe Reader won't render a PDF embedded as an object. If you encounter such a page, you'll receive an error message titled "Acrobat Plugin" with the terse admonishment that "This operation is not allowed". In other cases, the embedded object will result in multiple prompts to allow the active content. (To see how your browser reacts to PDF files embedded as an object in an HTML file, check out Gordon Kent's classic on PlanetPDF.)

To get around this in the parishilton.com attacks, the attackers tried two methods. The first attempt passed the PDF as an object. The second was a PHP-generated alert dialog that included the URL to the PDF. To the casual observer, this might seem like a standard social engineering scheme. But regardless of where the user clicked (including the X to close the dialog box), that click resulted in the PDF being opened, which in turn allowed the javascript embedded in the PDF to run, which in turn rendered the printf exploit.

It seems that with every passing week, the malware gets meaner and the tricks get trickier.