Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Acrobat continued activity in the wild SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Acrobat continued activity in the wild

It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it.

Holger reported a site that via obfuscation and redirection pointed back to the same site as where Bojan initially found his malicious pdfs.

Interesting the pdfs are new files.

Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:

Antivirus Version Last Update Result
SecureWeb-Gateway 6.7.6 2008.11.11 Exploit.PDF.Shellcode.gen (suspicious)
Symantec 10 2008.11.11 Trojan.Pidief.D

All the rest of the products tested at virustotal fail to detect these newer pdfs at all at this time.

So, what are to do ?

  • Are your acrobat installations fully up to date on patches ? How can you be sure ?
  • Do you really need pdf viewers to execute downloaded javascript ? How can it be turned off ?

Perhaps the policy file contributed by Elazar can help you:

CLASS USER 
 
CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" 
 
POLICY "JavaScript Reader 8.x" 
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 8.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 7.x" 
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 7.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 6.x" 
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 6.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
END CATEGORY

Disclaimer: I've not tried this policy file.

UPDATE:

Holger seems to have taken an interest in this and reported that they seem to have updated the attack once again, no more detection in virustotal.

 

--
Swa Frantzen -- Section 66

 Swa

760 Posts
Subscribe Nov 11th 2008
1 decade ago
I have never wanted to release or view executable content in my PDF files. I wish Adobe would release a trimmed version of Acrobat that just displays text and graphics in a static document, as God intended.
 Anonymous
Quote Nov 12th 2008
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!