Feeds

Adobe Reader vuln hit with unusually advanced attack

Eight more days to go

Intelligent flash storage arrays

With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.

The PDF file uses what's known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that's designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'war head,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.

The PDF was distributed through email that was specifically targeted at an unnamed organization, Zdrnja, who is a senior information security consultant with Infigo, said in an interview with The Register. Based on the metadata found in the PDF, it originated in China and was produced on December 29.

Just to make the attack even harder for end users to detect, the obfuscated binary runs a third executable program that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

In mid December, Adobe confirmed the critical flaw in Reader and Acrobat, but said a fix wouldn't come until January 12, the same day Microsoft is slated to release its next installment of security fixes. The vulnerability, which is classified as CVE-2009-4324, has been under targeted attack for more than three weeks. White hat hackers have also added an exploit to the Metasploit framework for penetration testers.

These latest in-the-wild attacks are bound to add fuel to critics who say Adobe software, which runs on well more than 95 percent of the world's computers, needs to be better screened for security vulnerabilities. The company is in the process of designing a new updater that will patch security holes in Reader, Acrobat, and Flash without requiring user interaction, according to the Zero Day blog. Beta users will begin testing it sometime this month.

This should come as good news. The wide availability of exploits targeting now-patched vulnerabilities suggests that a significant portion of users don't run the most recent version of the programs.

Adobe has also pledged to beef up the security of Reader and Acrobat by using software fuzzers and other tools to proactively find bugs that can be exploited. Since then, criminals have beat Adobe to spotting new critical vulnerabilities at least twice, including the latest attacks. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.