<<< NEWS FROM THE LAB - Monday, February 8, 2010 >>> ARCHIVES | SEARCH Watch Out for flower-show.org Posted by Mikko @ 14:54 GMT We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535).



It looks like this:







Nice flowers.



Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.



This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.



We've seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.







Today, both of those host names resolve to 202.150.213.12, which is not in China. It's in Singapore.





















