About Me

Geok Meng Ong

Geok Meng Ong
Senior Research Manager

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

New BackDoor Attacks Using PDF Documents

Thursday, February 19, 2009 at 11:14pm by Geok Meng Ong
Geok Meng Ong

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

malicious code execution

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (10)

  • Asheerq April 5, 2009 7:37PM

    i thinx adobe update it now
    thanx dear

    Reply
  • LouNaTech March 11, 2009 9:41AM

    Adobe’s Patch Is Released for Acrobat Reader 8.x & 9.x

    Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
    http://get.adobe.com/reader/

    Acrobat 9

    Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
    http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
    http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382

    Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
    http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381

    Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
    http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374

    Still no talk of the vulnerability of Acrobat 6.x

    Reply
  • Daniel Y March 2, 2009 2:41PM

    There are a few new PoC at milworm that do not appear to be detected by VirusScan using the most recent DAT release. I’ve submitted some samples to AVERT in hope that an updated DAT will come out soon. According to http://secunia.com/blog/44/, they created some samples that proof disabling javascript in Acrobat/Reader does not mitigate the risk. VirusScan buffer overflow protection may help for users running Internet Explorer, but not firefox users.

    Reply
  • Joe Blough February 26, 2009 6:37AM

    There is exploit code (in the form of a perl script) at milworm. The script will generate a pdf file that contains the exploit. As of last night, 2 out of 39 AV programs on virustotal detect the milworm file as a threat. When tested on acrobat 6 running on Windows 98, acrobat displays a message that the file is corrupt and can’t be read. It does not crash. I take that as an indication that Acrobat 6 is not vulnerable to the exploit. Windows-98 wins again over NT-based OS’s.

    Reply
  • Johnno February 25, 2009 7:36AM

    Disabling Javascript may not help at all. I’ve noticed if you launch a “javascript” enabled PDF, it just keeps bugging you to turn it back on… Great fix for a corporate environment where users will agree to anything quickly if it’ll stop them being bugged!

    Reply
  • Addus February 23, 2009 8:54AM

    Will Mcafee be releasing a HIPS signature for this? If so when is it planning on being released?

    Reply
  • Addus February 23, 2009 8:53AM

    The CERT advisory states that disabling javascript in acrobat reader “may” prevent exploitation. What does “may” mean? Also if users have stripped down rights what would this do to the impact of exploit?

    Reply
  • Geok Meng Ong February 22, 2009 5:38PM

    Larry, the vulnerability used by Conficker was exploited in the wild as a 0-day before the out-of-cycle patch was released, more notable by Spy-Agent.da.
    http://www.labs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/

    Reply
  • Joe Blough February 21, 2009 12:56PM

    Can anyone confirm (or can anyone post a reference) that Acrobat version 6 is, or is not, affected by this exploit or has this vulnerability? Is there any example code available for vulnerability testing?

    Reply
  • Larry Seltzer February 20, 2009 3:16AM

    Conficker wasn’t a zero-day.

    Reply