Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory
Published: 2010-09-08,
Last Updated: 2010-09-08 18:03:06 UTC
by John Bambenek (Version: 1)
18 comment(s)
Last Updated: 2010-09-08 18:03:06 UTC
by John Bambenek (Version: 1)
We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory. The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson". Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details). It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.
The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file. So the good news is that, as of right now, it's a "loud exploit". Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories. At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario. Will update this dairy as needed with developments.
--
John Bambenek
bambenek at gmail /dot/ com
Comments
Adobe is killing us! Secure Document Format (SDF) please!!! (I think I read something about that recently.)
posted by John, Wed Sep 08 2010, 18:45
John wrote "Secure Document Format (SDF) please!!!"
Should that not be Secure Portable Document Format (SPDF)? Security is paramount but don't forget the platform/device independency.
Should that not be Secure Portable Document Format (SPDF)? Security is paramount but don't forget the platform/device independency.
Seriously. This is getting ridiculous. Maybe they could hurry up on that sandboxing at least.
Does anyone know if FoxIt is more secure? (I guess, how could it be worse than Adobe Reader at this point?) I've made the switch on my personal PC, and I'm thinking of switching my clients as well.
I'm not sure Foxit is more secure but there is less bloat in it and I agree how could it be less secure.
I switched my users to it without issue.
I switched my users to it without issue.
As with many or all of the recent Adobe PDF hacks, you can stop this one by disabling JavaScript within Reader/Acrobat.
The Metasploit blog has an excellent technical write-up today: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
The Metasploit blog has an excellent technical write-up today: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
Receiving active infection at a rate of 1 every 5 seconds.
Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it
Here.http: / / www . share d ocuments . com / library / PDF_Document21 . 025542010 . pdf
Please check it and reply as soon as possible.
Cheers,
(Not the the domain name has only one D in it.)
SB
Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it
Here.http: / / www . share d ocuments . com / library / PDF_Document21 . 025542010 . pdf
Please check it and reply as soon as possible.
Cheers,
(Not the the domain name has only one D in it.)
SB
Update: the real link (:-S) is:
http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr
SB
http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr
SB
Since some of the most well known virus companies are not detecting the scr file according to virus totals, can anyone say what the file does if anything at this point?? We got blasted about 2 hrs ago. I have one machine offline until I can tell what it does.
We got hit with this an hour ago and it spread like wildfire. It seems to spam all exchange distribution lists with the original e-mail. It was sending to every one of our distribution lists. The exchange server is halted now until we can contain this.
We're talking about two different things here.
A major auditing firm sent us some emails with the link that SB posted, however it's to a .SCR file even though the link in the email says .PDF (as he corrected in a later post).
They use McAfee and McAfee added detection as of today. Their writeup for this non-PDF infection is at http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352#none
It appears to require local administrator rights to do its thing since it installs into %WINDIR%. "Least privilege" stops another one even if the AV vendors can't.
FWIW, we tested it against the six anti-malware systems we use. Bitdefender and Kaspersky on the proxy server both stopped the download if the link was clicked.
Every engine we have enabled on Forefront for Exchange let the email go right through because it was just a link. The Sophos email gateway did the same because it was just a link. These systems update every hour.
The two engines on the proxy server marked it as:
Bitdefender: Gen:Trojan.Heur.rm0@fnBStPoi
Kaspersky: Suspicious:HEUR:Trojan.Win32.Generic
A major auditing firm sent us some emails with the link that SB posted, however it's to a .SCR file even though the link in the email says .PDF (as he corrected in a later post).
They use McAfee and McAfee added detection as of today. Their writeup for this non-PDF infection is at http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352#none
It appears to require local administrator rights to do its thing since it installs into %WINDIR%. "Least privilege" stops another one even if the AV vendors can't.
FWIW, we tested it against the six anti-malware systems we use. Bitdefender and Kaspersky on the proxy server both stopped the download if the link was clicked.
Every engine we have enabled on Forefront for Exchange let the email go right through because it was just a link. The Sophos email gateway did the same because it was just a link. These systems update every hour.
The two engines on the proxy server marked it as:
Bitdefender: Gen:Trojan.Heur.rm0@fnBStPoi
Kaspersky: Suspicious:HEUR:Trojan.Win32.Generic
This appears to also disable McAfee. TrendMicro doesn't see it at all.
I think I remember reading something about Adobe products using .scr files for scripting. Is this correct?
I think I remember reading something about Adobe products using .scr files for scripting. Is this correct?
For everyone mentioning the "Here you have" user click trojan above, unless it gets updated, it has nothing to do with the Adobe Advisory. About the only thing that can be said about it is that it is a link claiming to be a pdf that turns out to be otherwise.
Back on topic, EMET 2.0 is supposed to take care of the "Not so" Cooltype.dll exploit.
[quote]Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.[/quote]
Back on topic, EMET 2.0 is supposed to take care of the "Not so" Cooltype.dll exploit.
[quote]Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.[/quote]
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.
On Windows 7 EMET applies all the protections to Acrobat Reader.
On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected)
On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?)
Well, its cross your fingers and hope time...
On Windows 7 EMET applies all the protections to Acrobat Reader.
On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected)
On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?)
Well, its cross your fingers and hope time...
The 'Here you have' case is a totally different case, althought the malicious attachment in that case has .pdf extension (....pdf.scr)
John wrote "Secure Document Format (SDF) please!!!" +1
New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form
Diary Archives
