It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it. Holger reported a site that via obfuscation and redirection pointed back to the same site as where Bojan initially found his malicious pdfs. Interesting the pdfs are new files. Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:
All the rest of the products tested at virustotal fail to detect these newer pdfs at all at this time. So, what are to do ?
Perhaps the policy file contributed by Elazar can help you: CLASS USER CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" POLICY "JavaScript Reader 8.x" KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 8.x" KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 7.x" KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 7.x" KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 6.x" KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 6.x" KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY Disclaimer: I've not tried this policy file. UPDATE: Holger seems to have taken an interest in this and reported that they seem to have updated the attack once again, no more detection in virustotal.
-- |
Swa 760 Posts Nov 11th 2008 |
||||||||||||
Thread locked Subscribe |
Nov 11th 2008 1 decade ago |
||||||||||||
I have never wanted to release or view executable content in my PDF files. I wish Adobe would release a trimmed version of Acrobat that just displays text and graphics in a static document, as God intended.
|
Anonymous |
||||||||||||
Quote |
Nov 12th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!