Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory

We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory.  The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson".  Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details).  It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.

The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file.  So the good news is that, as of right now, it's a "loud exploit".  Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories.  At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario.  Will update this dairy as needed with developments.

--
John Bambenek
bambenek at gmail /dot/ com

John

248 Posts
ISC Handler
Adobe is killing us! Secure Document Format (SDF) please!!! (I think I read something about that recently.)
John

88 Posts Posts
John wrote "Secure Document Format (SDF) please!!!"

Should that not be Secure Portable Document Format (SPDF)? Security is paramount but don't forget the platform/device independency.
Chris

6 Posts Posts
Seriously. This is getting ridiculous. Maybe they could hurry up on that sandboxing at least.
Anonymous
Posts
Does anyone know if FoxIt is more secure? (I guess, how could it be worse than Adobe Reader at this point?) I've made the switch on my personal PC, and I'm thinking of switching my clients as well.
Anonymous
Posts
I'm not sure Foxit is more secure but there is less bloat in it and I agree how could it be less secure.
I switched my users to it without issue.
PW

62 Posts Posts
As with many or all of the recent Adobe PDF hacks, you can stop this one by disabling JavaScript within Reader/Acrobat.

The Metasploit blog has an excellent technical write-up today: http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
Andrew

41 Posts Posts
Receiving active infection at a rate of 1 every 5 seconds.
Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it
Here.http: / / www . share d ocuments . com / library / PDF_Document21 . 025542010 . pdf
Please check it and reply as soon as possible.
Cheers,


(Not the the domain name has only one D in it.)

SB
Spam

5 Posts Posts
Update: the real link (:-S) is:

http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr

SB
Spam

5 Posts Posts
Since some of the most well known virus companies are not detecting the scr file according to virus totals, can anyone say what the file does if anything at this point?? We got blasted about 2 hrs ago. I have one machine offline until I can tell what it does.
Anonymous
Posts
We got hit with this an hour ago and it spread like wildfire. It seems to spam all exchange distribution lists with the original e-mail. It was sending to every one of our distribution lists. The exchange server is halted now until we can contain this.
Anonymous
Posts
We're talking about two different things here.

A major auditing firm sent us some emails with the link that SB posted, however it's to a .SCR file even though the link in the email says .PDF (as he corrected in a later post).

They use McAfee and McAfee added detection as of today. Their writeup for this non-PDF infection is at http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352#none

It appears to require local administrator rights to do its thing since it installs into %WINDIR%. "Least privilege" stops another one even if the AV vendors can't.

FWIW, we tested it against the six anti-malware systems we use. Bitdefender and Kaspersky on the proxy server both stopped the download if the link was clicked.

Every engine we have enabled on Forefront for Exchange let the email go right through because it was just a link. The Sophos email gateway did the same because it was just a link. These systems update every hour.

The two engines on the proxy server marked it as:

Bitdefender: Gen:Trojan.Heur.rm0@fnBStPoi

Kaspersky: Suspicious:HEUR:Trojan.Win32.Generic
Anonymous
Posts
This appears to also disable McAfee. TrendMicro doesn't see it at all.
PhilBAR

24 Posts Posts
I think I remember reading something about Adobe products using .scr files for scripting. Is this correct?
PhilBAR

24 Posts Posts
I think I remember reading something about Adobe products using .scr files for scripting. Is this correct?
PhilBAR

24 Posts Posts
For everyone mentioning the "Here you have" user click trojan above, unless it gets updated, it has nothing to do with the Adobe Advisory. About the only thing that can be said about it is that it is a link claiming to be a pdf that turns out to be otherwise.

Back on topic, EMET 2.0 is supposed to take care of the "Not so" Cooltype.dll exploit.

Quote:Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.
Anonymous
Posts
So, decided to get a jump on the week and try out EMET to protect against Acrobat exploits.

On Windows 7 EMET applies all the protections to Acrobat Reader.

On Windows Server 2003 Terminal Server it shows the green ball that Acrobat Reader is being run with EMET and tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected)

On Windows XP SP3 it's a total strikeout. Tells you that DEP is system opt-in, ASLR and SEHOP are not available (expected), but no program gets shown running with EMET. (Huh?)

Well, its cross your fingers and hope time...
Anonymous
Posts
The 'Here you have' case is a totally different case, althought the malicious attachment in that case has .pdf extension (....pdf.scr)
Juha-Matti

5 Posts Posts
John wrote "Secure Document Format (SDF) please!!!" +1
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!