Feeds

Adobe Reader vuln hit with unusually advanced attack

Eight more days to go

The essential guide to IT transformation

With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.

The PDF file uses what's known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that's designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'war head,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.

The PDF was distributed through email that was specifically targeted at an unnamed organization, Zdrnja, who is a senior information security consultant with Infigo, said in an interview with The Register. Based on the metadata found in the PDF, it originated in China and was produced on December 29.

Just to make the attack even harder for end users to detect, the obfuscated binary runs a third executable program that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

In mid December, Adobe confirmed the critical flaw in Reader and Acrobat, but said a fix wouldn't come until January 12, the same day Microsoft is slated to release its next installment of security fixes. The vulnerability, which is classified as CVE-2009-4324, has been under targeted attack for more than three weeks. White hat hackers have also added an exploit to the Metasploit framework for penetration testers.

These latest in-the-wild attacks are bound to add fuel to critics who say Adobe software, which runs on well more than 95 percent of the world's computers, needs to be better screened for security vulnerabilities. The company is in the process of designing a new updater that will patch security holes in Reader, Acrobat, and Flash without requiring user interaction, according to the Zero Day blog. Beta users will begin testing it sometime this month.

This should come as good news. The wide availability of exploits targeting now-patched vulnerabilities suggests that a significant portion of users don't run the most recent version of the programs.

Adobe has also pledged to beef up the security of Reader and Acrobat by using software fuzzers and other tools to proactively find bugs that can be exploited. Since then, criminals have beat Adobe to spotting new critical vulnerabilities at least twice, including the latest attacks. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?