09/13/2010

Who's Behind the Adobe pdf Exploit?

Now that researchers at places like Symantec (makers of Norton Antivirus), have had a chance to delve into the exploit, some theories are starting to come out about who's behind it.

Karthik Selvara, a researcher for Symantec says, in a Symantec blog,

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January....

Where it gets interesting is in the disection Karthik does.

He takes apart various parts of the email, the social engineering, and the exploit itself, and lo and behold, the techniques are eerily similar.

  The next quote is a little long, but given how concisely Symantec describes the exploit and attck, we'll let the Symantec blog speak for itself here,

If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks.

"In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation.

"Furthermore, we have seen a large number of detections of unique versions of the PDF--not yet seen elsewhere in the wild--coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks. [Editor's Note: Emphasis mine.]

"All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators.

"The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.

Huh. Attacks based in China. Who would have guessed?

Frequent readers may recall a list we shared not long ago of the Top 10 Riskiest Domains by Extensions, where China placed third in this notorious list.

All-in-all, aside from the excellent analysis by Symantec's researchers, we'd also like to echo their equally excellent suggestions about pdfs.

  1. keep your antivirus software up to date
  2. exercise caution when dealing with PDF files
  3. disable javascript in your pdf reader (i.e. Acrobat/Reader)

One last note, all the major antivirus vendors are detecting this attack, with Norton snaring it as, "Bloodhound.PDF!gen1" and as Bloodhound.Exploit.357.

09/10/2010

Adobe pdf Exploit Making the Rounds

September is proving to be a busy month for the bad guys. Aside from the latest email worm, dubbed W32/[email protected] by McAfee, Adobe is also being exploited by the cyber criminals.

This latest bug (CVE-2010-2883), being called, "Critical," Adobe's highest rating, affects Adobe Reader / Acrobat versions 9.3.4 and earlier on the following platforms:

  • Microsoft Windows
  • Apple Macintosh
  • Unix

According to Adobe, there are mitigation techniques available for Windows users, though an upgrade is definitely a better choice. Their official announcement warns,

Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited.

"For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited.

"Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.

Possible effects of the exploit?

Adobe says, This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system, so, unless you have some very good reason not to upgrade your Adobe Acrobat/Reader immediately, you should.

For more details, here's a post from Sophos on Adobe Acrobat/Reader exploit and the official Adobe Reader/Acrobat security announcement.

09/09/2010

Email Worm Hits Outlook Users: [email protected]

As if we all hadn't learned the hard-learned lessons from 2001, including (among other things), not to open attachments we're not expecting and to not click links in emails when we're not expecting them, there's a new worm making its rounds today.

With this newest, latest, greatest iteration of the computer worm, this one dubbed "Here you have" or W32/[email protected], we're taught apparently we need to re-learn some of those old lessons once more.

Here are what two of the worm's emails look like:

Subject: Here you have
Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Subject: Just For you
Hello:

This is The Free Dowload Sex Movies,you can find it Here. http://www.sharemovies.com/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

A fairly sophisticated worm, according to the write-up on it on McAfee's Antivirus blog, it spreads itself the following ways:

  1. via Outlook, spamming itself to everyone in your contact list
  2. over network shares
  3. AutoRun on removable media (i.e. flash/thumb drives)

All-in-all, it's a combination of the techniques of the old-school Outlook viruses and those of the more recent multi-vector worms, including disabling antivirus software.

Sneaky for sure.

On top of that, it's disguising itself as a .pdf file, when in fact it's an executable program.

As users, we've all been trained for so long that .pdf files are harmless, when in fact they're not, themselves having become an attack vector more than once recently.

At least as far as good news goes, the malware:

  1. isn't auto-executing (as the Outlook viruses were a few years ago)
  2. requires that a user click a link and run the file
  3. is being caught by most antivirus software

As the folks at Kaspersky point out in their post about the "Here You Have Virus",

The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn't rely on a link to a downloading site.

"But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.

Which brings up a point that can't be repeated enough:

  • No matter how tempting: Avoid opening emails from strangers. Subject lines like the ones in this worm are a dead giveaway to their content.
  • If you absolutely must open a stranger's email, don't click on links in them
  • If you absolutely must click the link (or do so accidentally), if you're prompted to 'Run' a file, don't. Just don't.

No matter how tempting, I assure you, you're not missing out on anything except for anger, frustration, tears, heartache, and a trip to your local computer store.