acrobat_jvscriptThis really caught me by surprise.

Read this new article from TheRegister about this new virus in-the-wild that install a remote trojan call “ghost rat” circulating in booby-trapped PDF files.

Why would an Acrobat Reader needs JavaScript in the first place?

We already see a lot of issues of web browsers with attacks coming from javascript and now we have to deal with Acrobat Reader as well.

To disable it, go to Edit/Preferences or Ctrl-K and un-check that box “Enable Acrobat Javascript”.

Update 29 March: Please note that the original article in NYTimes with regards to the snooping done by China and creation of a GhostNet has no reference to “ghost rat” trojan.

Furthermore, the report by Computer Labs of Cambridge observed that .doc or .pdf were both utilized to download the trojan.

However, I do understand that certain reports do mention a “ghost rat” trojan, so, its very likely this trojan is the malware utilized by the hackers.

F-Secure added the possibility of a variant “grey pigeon” trojan being used as well. In the IWM report, there is a screen capture showing “ghost rat”, the report is worth reading.