Adobe Acrobat 0-Day Analysis Posted by Sean @ 13:08 GMT

There's a 0-Day PDF exploit taking advantage of a vulnerability found in Adobe Reader and Acrobat 9.2 and earlier. Adobe has issued an advisory on their PSIRT blog.



The screenshot below, pulled from our automation, shows that when the PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable file. The server has been abused but is currently active.







The executable that is downloaded searches for and encrypts certain files and then uploads them to another server. This server is currently online and its contents are publicly browsable.



The machine name and the IP address of the compromised machine are included.



Here's an example:







Based on the numbers of files found on the upload server, it appears that this exploit is only being used in targeted attacks.



But that could easily change…



Disabling Acrobat's JavaScript option may offer some mitigation.



You might also install an alternative PDF reader, many good ones are available for free.



Adobe is now on a scheduled quarterly update cycle, with security patches coming as needed on the same day as Microsoft's updates. It could be January 12th before Adobe publishes a fix.



We detect the following:



The exploit as Exploit:W32/AdobeReader.Uz.

The downloaded file as Trojan-Dropper:W32/Agent.MRH.

The dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK.



— Read More —



• Shadowserver – When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose

• Security Fix – Hackers target unpatched Adobe Reader, Acrobat flaw

• The Register – Unpatched PDF flaw harnessed to launch targeted attacks



—————



Updated to add: According to Contagio Malware Dump, some of the original targeted attack emails looked like this:





From: Rachel Millstone

To: (redacted)

Date: Dec 11, 2009 3:12 PM

Subject: reference



Dear All

Please find attached the updated country briefing notes, and staff lists.



kind regards

Rachel



Attachment: note_20091210.pdf







From: fureer.angelica@gmail.com

To: (redacted)

Date: 2009-12-13 12:14 AM

Subject: Interview Request



This is Fureer Angelica, diplomaic broadcaster for CNN in DC.

There's growing concern about the U.S.-North Korea bilateral talks.

So, we're planning an Interview about them.

Attached is the outline of the interview.



p.s. Detailed schedules will be followed soon if you accept the offer.



Attachment: File outline_of_interview.pdf







From: jackr@gilbrooks.edu

To: (redacted)

Subject: reference

Date: Mon, 30 Nov 2009 06:53:52 +0000



Dear All

Please find attached the updated country briefing notes, and staff lists.



kind regards

Jack



Attachment: note200911.pdf





—————



Updated to add: Adobe has published an updated Security Advisory. They plan to make an update available on January 12th.



Also noteworthy, this PDF vulnerability has been added to Metasploit.









