New BackDoor Attacks Using PDF Documents
Thursday February 19, 2009 at 11:14 pm CST
Posted by Geok Meng Ong
Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.
At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):
In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm
While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:
http://www.adobe.com/support/security/advisories/apsa09-01.html
February 20th, 2009 at 03:16
Conficker wasn’t a zero-day.
February 20th, 2009 at 07:42
[...] a brecha nativamente nos programas, a Adobe já está em contato com fabricantes de antivírus como a McAfee a Symantec para garantir que usuários de tais soluções sejam [...]
February 20th, 2009 at 08:04
[...] company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit [...]
February 20th, 2009 at 08:24
[...] Adobe PDF – Zero Day Exploit (how to turn off Javascript)http://isc.sans.org/diary.html?storyid=5902http://www.adobe.com/support/security/advisories/apsa09-01.htmlhttp://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.INhttp://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents…http://vil.nai.com/vil/content/v_153842.htm [...]
February 20th, 2009 at 09:04
[...] a critical vulnerability in Adobe Reader and Acrobat and at least one zero-day exploit for them in the wild already. Yet, Adobe (ADBE) won’t have a fix for it in place until March [...]
February 20th, 2009 at 11:09
[...] zero day exploit that effect Adobe Reader 8.x and 9.x according to NAI as noted in their blog post http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents…. What’s worse is the attack installs a backdoor and montoring into your system, so even after [...]
February 20th, 2009 at 11:34
[...] company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit [...]
February 20th, 2009 at 11:35
[...] company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit [...]
February 20th, 2009 at 13:43
[...] has some more details. While the vulnerability isn’t widely exploited yet, more malware using this bug is expected [...]
February 20th, 2009 at 15:41
[...] http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents... http://www.us-cert.gov/cas/tips/ST04-010.html http://www.cert.org/tech_tips/securing_browser/ [...]
February 20th, 2009 at 16:33
[...] hole is already being exploited, according to Symantec and McAfee. Both companies suggest you should disable JavaScript by going to Edit, selecting Preferences and [...]
February 21st, 2009 at 12:56
Can anyone confirm (or can anyone post a reference) that Acrobat version 6 is, or is not, affected by this exploit or has this vulnerability? Is there any example code available for vulnerability testing?
February 21st, 2009 at 13:41
[...] http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents... http://www.us-cert.gov/cas/tips/ST04-010.html http://www.cert.org/tech_tips/securing_browser/ [...]
February 22nd, 2009 at 05:44
[...] Symantec Corp has discovered that Trojan makers has successfully once again infiltrate Adobe Acrobat Reader, a software application developed by Adobe Systems Inc. [...]
February 22nd, 2009 at 16:49
[...] — Adobe Reader and Acrobat buffer overflow vulnerability (2009-Feb-23) [AusCERT] [4] New BackDoor Attacks Using PDF Documents (2009-Feb-19) [McAfee AVERT] Possibly related posts: (automatically generated)Acrobat 8.1.2 [...]
February 22nd, 2009 at 17:38
Larry, the vulnerability used by Conficker was exploited in the wild as a 0-day before the out-of-cycle patch was released, more notable by Spy-Agent.da.
http://www.avertlabs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/
February 23rd, 2009 at 00:09
[...] Computer Security Research – McAfee Avert Labs Blog [...]
February 23rd, 2009 at 06:24
[...] from the web Posted February 23, 2009 Filed under: Uncategorized | This worries me (more information). It would appear that you could craft PDFs that could hijack someone’s machine simply by their [...]
February 23rd, 2009 at 08:53
The CERT advisory states that disabling javascript in acrobat reader “may” prevent exploitation. What does “may” mean? Also if users have stripped down rights what would this do to the impact of exploit?
February 23rd, 2009 at 08:54
Will Mcafee be releasing a HIPS signature for this? If so when is it planning on being released?
February 25th, 2009 at 07:36
Disabling Javascript may not help at all. I’ve noticed if you launch a “javascript” enabled PDF, it just keeps bugging you to turn it back on… Great fix for a corporate environment where users will agree to anything quickly if it’ll stop them being bugged!
February 26th, 2009 at 06:37
There is exploit code (in the form of a perl script) at milworm. The script will generate a pdf file that contains the exploit. As of last night, 2 out of 39 AV programs on virustotal detect the milworm file as a threat. When tested on acrobat 6 running on Windows 98, acrobat displays a message that the file is corrupt and can’t be read. It does not crash. I take that as an indication that Acrobat 6 is not vulnerable to the exploit. Windows-98 wins again over NT-based OS’s.
February 26th, 2009 at 13:32
[...] are reports that exploits are already making the rounds and if these are accurate, which they appear to be, look [...]
March 2nd, 2009 at 14:41
There are a few new PoC at milworm that do not appear to be detected by VirusScan using the most recent DAT release. I’ve submitted some samples to AVERT in hope that an updated DAT will come out soon. According to http://secunia.com/blog/44/, they created some samples that proof disabling javascript in Acrobat/Reader does not mitigate the risk. VirusScan buffer overflow protection may help for users running Internet Explorer, but not firefox users.
March 11th, 2009 at 09:41
Adobe’s Patch Is Released for Acrobat Reader 8.x & 9.x
Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
http://get.adobe.com/reader/
Acrobat 9
Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382
Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381
Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374
Still no talk of the vulnerability of Acrobat 6.x
March 12th, 2009 at 01:41
[...] http://www.adobe.com/support/security/bulletins/apsb09-03.html http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents... http://jbig2.com/ http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 [...]
April 5th, 2009 at 19:37
i thinx adobe update it now
thanx dear
April 21st, 2009 at 19:52
[...] to the McAfee security blog, malicious PDF documents are already in the wild, and have been appearing across the web since [...]
June 4th, 2009 at 05:16
[...] http://www.adobe.com/support/security/bulletins/apsb09-03.html http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents... http://jbig2.com/ http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219 [...]
July 22nd, 2009 at 19:47
[...] As we already mentioned multiple times in the past, exploits that takes advantage of a newly discovered holes in popular applications represent a [...]
July 24th, 2009 at 01:18
[...] 0-Day Attacks Using PDF Documents As we already mentioned multiple times in the past, exploits that take advantage of newly discovered holes in popular applications represent a growing [...]