February 20th, 2009
Adobe Reader 9 and Acrobat 9 zero day exploited in the wild
Yesterday, Adobe confirmed the existence of a critical vulnerability affecting Adobe Reader and Acrobat versions 9.0 and earlier, originally detected by the Shadowserver Foundation last week.
The onging targeted attacks have since been confirmed by both, Symantec and McAfee urging users to disable JavaScript in Adobe Reader and Acrobat until Adobe issues a patch on the 11th of March in the following way - Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript.
Symantec’s comments on the potential for massive attacks using the exploit:
So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.
While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations—for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.
For the time being, cybercriminals chose to generate less noise by launching targeted attacks just like they did earlier this week using IE7’s MS09-002 vulnerability. However, as we’ve previously seen it’s only a matter of time until copycat attackers start using it on a large scale.
With several targeted campaigns currently active, what are the chances that a sample malware campaign would be once again monetizing infected hosts by infecting them with rogue security software similar to Conficker’s first release? Huge.
- Go through related incidents using Adobe exploits: MSN Norway serving Flash exploits through malvertising; CNET’s Clientside developer blog serving Adobe Flash exploits; Rigged PDFs exploiting just-patched Adobe Reader flaw
Upon analyzing the binary served once an infected host gets successfully exploited from a sample campaign, it’s attempting to trick the user into install the very latest rogue security software Spyware Protect 2009. The cute part is that the cybercriminals didn’t manage to successfully configure their campaign resulting in a 404 error.
What’s important to point out is that the original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider (js001.3322.org) with more details about its owner available in a related BusinessWeek article.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
