Wednesday, December 16, 2009

Adobe Acrobat 0-day Analysis

So as promised in my earlier post, I have started the analysis of the exploit, and here are some details thus far. The exploit is affecting Adobe Reader and Acrobat 9.2 and earlier.
When the malicious PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable payload.
The payload I analyzed was downloaded from hxxp://foruminspace.com/documents/dprk/
This server looks like it has been taken down a few times since about 6am EST this morning but is back up.
The executable, once downloaded searches for and encrypts certain files and then uploads them to another server. This server is online and its contents are publicly browsable.

Based on the number of files found on the upload server, it appears that this exploit is only targeting specific attacks at this time, however this may change at any point.

Adobe Patch schedule is quarterly, with security patches coming as needed on the same release and Microsoft patches, using this patching SOP it could be January 12th before Adobe pushes out a patch.

The exploit I detected as Exploit:W32/AdobeReader.Uz
The downloader files as Trojan-Dropper:W32/Agent.MRH
The Dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK

At this point I would recommend using altrenative PDF readers, or disabling the javascript option within Adobe products as a temporary remediation.

http://www.adobe.com/support/security/advisories/apsa09-07.html

No comments:

Post a Comment