Adobe Acrobat Reader Sending Data Where?
- 4
- Add a Comment
This was received here at Lockergnome recently. For obvious reasons, I will forgo including the name of the sender. But it has me curious - could this be a simple matter of confusing an instance of one application with another or can others out there duplicate this as well? Here is the email:
It is almost 4:00 AM and I just finished a spyware battle that was the scariest thing (from a privacy standpoint) that I’ve seen in…well maybe forever.
As far as I can tell, Adobe Acrobat Reader version 8 has spyware in it that causes data to be sent from a PC to www.dhs.gov. Yes, I know that sounds crazy, but I was sitting here watching it happen with my own eyes.
Here’s how I discovered this. Maybe you can replicate it also? I saved a copy of the Acrobat Reader install file from work (Army related work) and went to install it on my home PC. This PC has Comodo firewall and a DNS caching program from Analog X called FastCache.
I first noticed that my browsing was slow and then stopped completely with page timeouts. I next noticed that even though I was not downloading any pages there was still data flowing through my LAN connection. I opened up Comodo’s “Activity” then “Connections” log. It showed that Fast cache was sending data OUT to my external router. I right clicked on fast cache to view its log of connections and there were literally thousands of log entries pointing to www.dhs.gov It sent out about 45 Megs before I thought to just right click on the Comodo icon and terminate the connection by setting it to “block all” connections.
I had never had this problem before and as soon as I uninstalled Adobe Acrobat the problem disappeared. I should have taken some screenshots but I was too busy trying to stop it.
Needless to say, this computer now has Foxit PDF reader installed!
Now, I may not be a security expert. But if the government was going to be snoop, it would more likely be something like the FBI’s Carnivore program and it would be to some hard to track IP address, not a clearly identifiable website. In other words, the Fed is much smoother than this.
What’s interesting, is that something else may be running on this person’s machine, giving the appearance that data is being sent this way, which does not have any sort of clear reasoning as to why from what I can tell. So I have to ask. Tinfoil hats aside, has anyone heard of a spyware program that does this sort of thing? Because let me tell you, this is unlike anything I have ever heard of, that’s for sure.
[tags]security, spyware, privacy[/tags]
4 Comments
Kevin Fredde
October 12th, 2007
at 9:55am
Have you tried to download Adobe Reader 8 directly from Adobe instead of using the Army provided one and see if you see the same traffic being generated? It might be something with that file that you brough home from work.
Paul Higgins
October 12th, 2007
at 12:27pm
I agree, Matt. looks like something else is doing the biz and it is using or imitating Adobe. Kevin Fredde seems to have given a pretty reasonable explanation. That’s definately what I’d try, and if the download from Adobe doesn’t give the same result, I’d be looking at the Army version.
Kevin
October 14th, 2007
at 7:03pm
yes, this sounds more like the computer was being used in an attempted dos attack on dhs.gov
actually, why would someone bring home acrobat reader from work, if they have a lan and high speed connection at home, and would this person be fired for doing it, if they are doing army work?
acrobat reader is almost always installed from the site, not an easily available full install download file, so where did it come from? sounds like the “acrobat reader” is a suspect file, also might let IT at work know, the work computer may now be compromised, which is why most places with sensitive or private info ban downloading stuff.
Mick
November 7th, 2007
at 6:28pm
Hi, This is very intersting. I have been wrestling with exactly the same speed problem as what Matt has described; however I have a dial-up services. I put a sniffer on my PC and say that there were acknowledgement of succesful delivery to Russian based email addresses.
Since installing Adobe 8.1, 5 days ago at home, I have not been able to restore to an earlier restore point, and my dial-up is really slow. I will un-install Adobe 8.1 tonight and see what happens. I downloaded Adobe from http://www.adobe.com at work and took it home and installed is as the dial-up speed would have meant the download would take days. note: I am not with the military.