Add to del.icio.us     Digg this

January 5, 2010

One more time, potential hackers are targeting Adobe Reader with an unusually sophisticated attack. Last week, Internet security firm McAfee predicted that Adobe's PDF Reader will be the most attacked software in 2010.

Adobe's PDF Reader software uses what's known as egg-hunting shellcode to compress the first phase of the malicious payload into just 38 bytes, a tiny size that's designed to thwart anti-virus detection. As a result, just four of the 41 major anti-virus programs detect the attack more than six days after the exploit surfaced, according to some analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected personal computers.

"Not only was this a very interesting example of a malicious PDF document carrying a sophisticated virus, but it also revealed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the anti-virus vendors, but also for victims," wrote Bojan Zdrnja, a SANS-Center worker who analyzed the exploit.

Just to make the attack even harder for end users to detect, the obfuscated binary even runs a third executable file that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

Adobe has said today that a proper security patch wouldn't come until late next week, the same day Microsoft is slated to release its next installment of security fixes. The vulnerability, which is classified as CVE-2009-4324, has been under targeted attack for more than three weeks.

Since then, white hat hackers have also added a security exploit to the Metasploit framework for enterprise perimeter penetration testers.

The PDF documents were distributed through e-mails that were specifically targeted at an unnamed organization, Zdrnja said. Based on the metadata found in the PDF compromised document, it originated in China and was produced on December 29, 2009.

Overall, the wide availability of exploits targeting now-patched vulnerabilities suggests that a significant portion of users don't run the most recent version of the programs.

These latest "in-the-wild attacks" are bound to add fuel to critics who say Adobe software, which runs on well more than 95 percent of the world's PCs and corporate workstations, needs to be better screened for such security vulnerabilities.

Adobe says it is currently in the process of designing a new security patch updater that will fix vulnarabilities in Adobe Reader, Acrobat Reader and Flash without requiring user interaction.

Beta users are slated to begin testing it around Jan. 21. We will keep you updated.

Additionally, Adobe has also pledged to improve the overall security of Reader and Acrobat by using software "fuzzers" and other such tools to proactively discover bugs that can be exploited.

Since then, hackers have beat Adobe in spotting new critical vulnerabilities at least twice, including the latest attacks in December.

Add to del.icio.us     Digg this

Source: Adobe.

Get the best Linux or Windows Web hosting plan for your website.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.