Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-02-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe Reader exploit in the wild

Published: 2008-02-09
Last Updated: 2008-02-11 21:08:12 UTC
by Raul Siles (Version: 3)
0 comment(s)

The Adobe Reader vulnerability (see previous ISC post - CVE-2008-0655) is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) downloads a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified.

The first and only public report (till now) is available from an Italian Forum (original post in Italian), and was posted on January, 20. See image here (from the original forum post) for more file details. (See a better translation in UPDATE 2 below.)

If you see other incidents exploiting this, please, let us know.

UPDATE 1

VeriSign - iDefense sent us some additional information.  Here is what they told us:

VeriSign - iDefense is observing exploitation of a recently patched vulnerability in Adobe Acrobat Reader. This vulnerability was discovered by Greg McManus of iDefense Labs and reported to Adobe in October 2007.

Since January 20, 2008 banner ads are actively serving malicious PDF files that exploit the vulnerability and install the Zonebac Trojan.  Once installed the Trojan kills various anti-virus products and modifies search results and banner ads. 

Until 2 days ago, this attack did not have a patch available while being actively exploited in the wild.  A similar attack occurred in October 2007 when the same group used a Realplayer 0-day exploit to install the Zonebac Trojan.

No anti-virus vendors currently detect the malicious PDF files though we have provided samples to all.  This type of exploit works for both web browser and email attack vectors.  Exploitation affects all 7.x versions of Adobe Acrobat Reader and versions prior to 8.1.2.  Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.

Vulnerability Timeline:

*     Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)

*     Virus Report (http://www.pcprimipassi.it/servizifree/forum/forum_posts.asp?TID=10066, Jan. 20, 2008)

*     Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)

*     Immunity POC Exploit (http://www.immunityinc.com/partners-index.shtml, Feb. 6, 2008)

*     Adobe Reader Vulnerability Exploitation in the Wild (ID#467384, Feb. 8, 2008)

*     Adobe Security Advisory APSA08-01  (http://www.adobe.com/support/security/advisories/apsa08-01.html, Feb. 7, 2008)

*     iDefense Receives Hostile PDF Sample (Feb. 7, 2008)

*     iDefense Customer Notification (ID#467398, Feb. 8, 2008)

Additional details: 

1c130a41aa6866bc081cf096bbd08da3 1.pdf
68b804a8463c9261b991f1c92e05f801 b.pdf

The Zonebac trojan communicates with the following URLs:

A.doginhispen.com
B.skitodayplease.com

We ran "1.pdf" through VirusTotal and got these results (0/32).  Pretty scary!

UPDATE 2 

Lou Giannelli wrote to tell us that the translation we linked to above totally sucks.  So he offered to provide a much better version:

Hi, this morning I found myself cleaning three PC infected with a Trojan (a variant of Zonebac) that is not currently detected by the AV (an exclusivity, but at the same time, an old acquaintance). I take this opportunity to greet the staff of Libero.  On all 3 PC, in the history there was  the following IP at the time of the infection.

85.17.221.2

And among the temporary files, I found the following files (at the time of the infection).

Therefore, if you use IE and find this IP in the history, you have been infected by this Trojan. (it would be prudent to restrict this IP..)

I don’t want to name the involved portals, but for the time being I’ll watch the portals I suspect, expecting to be infected … (in fact, the infection takes place in a casual manner, perhaps through the banner)

I’ll inform the owner of the IP that such IP is hosting malware, and I’ll submit the infected files to AV vendors (so they can update their virus definitions) … and report this to the proper authorities (considering how expensive it is for those using dial-up connectivity).

Above all, a direct restriction to the portal hosting the virus is useless… considering the behavior in past similar cases.  Bye, and keep your eyes peeled!

The truth will set you free.

Thanks Lou!!


--Raul Siles
www.raulsiles.com

 

Keywords:
0 comment(s)

MSN Messenger Trojan

Published: 2008-02-09
Last Updated: 2008-02-09 11:24:09 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Two readers sent us notes about some malware circulating on MSN Messenger.

First note:

Seems like every 15 minutes someone else on my MSN buddy list sends me a message with:

 "Hot or Not? hxxp://mymsngallery.my.funpic de/viewimage.php?youremail@someplace.com" 

or

 "this really looks like you hxxp://mymsngallery.my.funpic de/viewimage.php?youremail@someplace.com"

Where youremail@someplace.com is my email adddress.  Pulling up the page returns a 876032 byte file that appears to be an executable.

As of this writing the above site is still live and distributing executable.

Running the malware through VirusTotal give these results.

A second submission came in a few hours after the first one:

We’ve had a handful of hosts that have been infected via a Trojan that arrives over MSN.  While we don’t have specifics it would appear as though the message is similar to “Here’s a funny pic of you...”.  The link is on the funpic.de domain, we don’t have the full hostname, but understand the site is a photo sharing site in Germany.  The file downloaded is PIC006.JPG-www.photoshare.com.  On the one system our student technicians had access to it also appeared that malware opened a connection to 58.65.164.41:2007.

We had a similar outbreak a few weeks ago with our faculty/staff, but the payload was not the .com file, but rather an “a.bat” and an .exe (I couldn’t find the name off-hand).  While we blocked outbound traffic to the funpic.de domain, we didn’t do it on all interfaces — so again now our students are infected with something similar that should have been prevented.  Lesson learned:  Once you block, test, test, and test!  By the way, Symantec threw a generic Trojan warning on our earlier outbreak and would quarantine the files, but not this one (.com).

If you see any variations on this please let us know via the contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives