Wednesday, December 16, 2009

Adobe Acrobat 0-day Analysis

So as promised in my earlier post, I have started the analysis of the exploit, and here are some details thus far. The exploit is affecting Adobe Reader and Acrobat 9.2 and earlier.
When the malicious PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable payload.
The payload I analyzed was downloaded from hxxp://
This server looks like it has been taken down a few times since about 6am EST this morning but is back up.
The executable, once downloaded searches for and encrypts certain files and then uploads them to another server. This server is online and its contents are publicly browsable.

Based on the number of files found on the upload server, it appears that this exploit is only targeting specific attacks at this time, however this may change at any point.

Adobe Patch schedule is quarterly, with security patches coming as needed on the same release and Microsoft patches, using this patching SOP it could be January 12th before Adobe pushes out a patch.

The exploit I detected as Exploit:W32/AdobeReader.Uz
The downloader files as Trojan-Dropper:W32/Agent.MRH
The Dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK

At this point I would recommend using altrenative PDF readers, or disabling the javascript option within Adobe products as a temporary remediation.

New Adobe Acrobat /Reader 0-day Exploits

This just came across my desk so I figured I would post a short informational piece for those of you who are using the mentioned Adobe products.
The 0-day has been active since about 2 weeks ago from some of the code samplings I have seen thus far and has now been brought to the attention of the vendor, so with that the we can expect to see a patch soon I would hope.
The Exploit allows an attacker to craft a malicious PDF and upon being opened on a vulnerable version of the Adobe software will allow the execution of arbitrary code. this may allow an attacker to take complete control of the affected system. No patch is currently available and A proof of concept module has been added to the Metasploit framework. I will be playing with this POC module in the days to come and have additional details at a more in depth technical level.
Happy Patching / Updating.