Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Acrobat continued activity in the wild

Published: 2008-11-11
Last Updated: 2008-11-12 02:04:02 UTC
by Swa Frantzen (Version: 3)
1 comment(s)

It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it.

Holger reported a site that via obfuscation and redirection pointed back to the same site as where Bojan initially found his malicious pdfs.

Interesting the pdfs are new files.

Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:

Antivirus Version Last Update Result
SecureWeb-Gateway 6.7.6 2008.11.11 Exploit.PDF.Shellcode.gen (suspicious)
Symantec 10 2008.11.11 Trojan.Pidief.D

All the rest of the products tested at virustotal fail to detect these newer pdfs at all at this time.

So, what are we to do ?

  • Are your acrobat installations fully up to date on patches ? How can you be sure ?
  • Do you really need pdf viewers to execute downloaded javascript ? How can it be turned off ?

Perhaps the policy file contributed by Elazar can help you:

CLASS USER 
 
CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" 
 
POLICY "JavaScript Reader 8.x" 
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 8.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 7.x" 
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 7.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 6.x" 
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 6.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
END CATEGORY

Disclaimer: I've not tried this policy file.

UPDATES:

Holger seems to have taken an interest in this and reported that they seem to have updated the attack once again, no more detection in virustotal.

A big part of getting this right is to be notified timely of such updates being available. Jacob reported that he noticed he didn't get the notification from Adobe for the last few updates. (You can sign up for it, but YMMV...)

An anonymous reader reported: "I observed the following on two different computers (one at work; one at home) about a week or two ago.  Both mentioned that there was an update to Adobe Reader available but that the update failed.  Subsequently, that message did not reappear.  Manually selecting Update from within Adobe Reader allowed for the installation of the patched version, which required a reboot." Hence, take care when relying solely on automatic updates ...

--
Swa Frantzen -- Section 66

1 comment(s)
Diary Archives