NEWS FROM THE LAB - Tuesday, December 15, 2009

Adobe Acrobat 0-Day Analysis Posted by Sean @ 13:08 GMT

There's a 0-Day PDF exploit taking advantage of a vulnerability found in Adobe Reader and Acrobat 9.2 and earlier. Adobe has issued an advisory on their PSIRT blog.

The screenshot below, pulled from our automation, shows that when the PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable file. The server has been abused but is currently active.

Adobe, CVE-2009-4324, sample 0805d0...

The executable that is downloaded searches for and encrypts certain files and then uploads them to another server. This server is currently online and its contents are publicly browsable.

The machine name and the IP address of the compromised machine are included.

Here's an example:

Adobe, CVE-2009-4324

Based on the numbers of files found on the upload server, it appears that this exploit is only being used in targeted attacks.

But that could easily change…

Disabling Acrobat's JavaScript option may offer some mitigation.

You might also install an alternative PDF reader, many good ones are available for free.

Adobe is now on a scheduled quarterly update cycle, with security patches coming as needed on the same day as Microsoft's updates. It could be January 12th before Adobe publishes a fix.

We detect the following:

The exploit as Exploit:W32/AdobeReader.Uz.
The downloaded file as Trojan-Dropper:W32/Agent.MRH.
The dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK.

— Read More —

  •  Shadowserver – When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
  •  Security Fix – Hackers target unpatched Adobe Reader, Acrobat flaw
  •  The Register – Unpatched PDF flaw harnessed to launch targeted attacks


Updated to add: According to Contagio Malware Dump, some of the original targeted attack emails looked like this:

   From: Rachel Millstone
   To: (redacted)
   Date: Dec 11, 2009 3:12 PM
   Subject: reference
   Dear All
   Please find attached the updated country briefing notes, and staff lists.
   kind regards
   Attachment: note_20091210.pdf

   From: fureer.angelica@gmail.com
   To: (redacted)
   Date: 2009-12-13 12:14 AM
   Subject: Interview Request
   This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
   There's growing concern about the U.S.-North Korea bilateral talks.
   So, we're planning an Interview about them.
   Attached is the outline of the interview.
   p.s. Detailed schedules will be followed soon if you accept the offer.
   Attachment: File outline_of_interview.pdf

   From: jackr@gilbrooks.edu
   To: (redacted)
   Subject: reference
   Date: Mon, 30 Nov 2009 06:53:52 +0000
   Dear All
   Please find attached the updated country briefing notes, and staff lists.
   kind regards
   Attachment: note200911.pdf


Updated to add: Adobe has published an updated Security Advisory. They plan to make an update available on January 12th.

Also noteworthy, this PDF vulnerability has been added to Metasploit.