Feeds

Adobe Reader vuln hit with unusually advanced attack

Eight more days to go

Top three mobile application threats

With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.

The PDF file uses what's known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that's designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated 'war head,' but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims," wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.

The PDF was distributed through email that was specifically targeted at an unnamed organization, Zdrnja, who is a senior information security consultant with Infigo, said in an interview with The Register. Based on the metadata found in the PDF, it originated in China and was produced on December 29.

Just to make the attack even harder for end users to detect, the obfuscated binary runs a third executable program that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

In mid December, Adobe confirmed the critical flaw in Reader and Acrobat, but said a fix wouldn't come until January 12, the same day Microsoft is slated to release its next installment of security fixes. The vulnerability, which is classified as CVE-2009-4324, has been under targeted attack for more than three weeks. White hat hackers have also added an exploit to the Metasploit framework for penetration testers.

These latest in-the-wild attacks are bound to add fuel to critics who say Adobe software, which runs on well more than 95 percent of the world's computers, needs to be better screened for security vulnerabilities. The company is in the process of designing a new updater that will patch security holes in Reader, Acrobat, and Flash without requiring user interaction, according to the Zero Day blog. Beta users will begin testing it sometime this month.

This should come as good news. The wide availability of exploits targeting now-patched vulnerabilities suggests that a significant portion of users don't run the most recent version of the programs.

Adobe has also pledged to beef up the security of Reader and Acrobat by using software fuzzers and other tools to proactively find bugs that can be exploited. Since then, criminals have beat Adobe to spotting new critical vulnerabilities at least twice, including the latest attacks. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.