Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-02-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe/Acrobat 0-day in the wild?

Published: 2009-02-20
Last Updated: 2009-02-23 03:03:09 UTC
by Joel Esler (Version: 7)
7 comment(s)

According to our friends over at Shadowserver, There is a new Acrobat 0-day in the wild.  They say you can avoid it by turning off Javascript inside of your Adobe Acrobat products. 

Please see Shadowserver's write up: here for more information

UPDATE:  Another great VRT Blog post.  These guys keep pumping them out!  Check it out here.

UPDATE  Shadowserver has released important mitigation information.  You can see that post at the url below.

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221

UPDATE:  Sourcefire VRT has published a "homebrew" patch for the vuln.  PLEASE TEST THIS BEFORE DEPLOYING IN ANY ENVIRONMENT!!!  SANS ISC has NOT verified the effectiveness of this "homebrew patch", and as such we cannot make any claims or comments on its effectiveness or any unintended consequences of using this modified software.  As some of you may remember ZERT in the past has done similar, and there are obviously caveats involved with this approach. (both technical and possibly legal) So please do educate your self, and if need be discuss with your legal team before deploying third party modified software into your environment.

Information on patch:

http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

Information on ZERT:

http://www.isotf.org/zert/

Disclosure:  Joel works for Sourcefire, but does not work for the VRT.

UPDATE 2:  Based on the comments to this diary entry something needs to be cearly stated. Java has NO relation to this exploit, javascript is utilized by the attackers to massage memory structures to build a more reliable exploit.  Disabling javascript will remove this ability and make a reliable exploit much harder to build.  - Andre L

-- Joel Esler http://www.joelesler.net

-- Andre L

Keywords:
7 comment(s)

Phishing with a small twist

Published: 2009-02-20
Last Updated: 2009-02-20 12:26:18 UTC
by Mark Hofman (Version: 1)
2 comment(s)

A reader sent this through to us (thanks) and it has an interesting little twist. 

The message is one we are already used to

Dear email account owner,

This message is from somewhere email administration center to all email
account owners. We are currently upgrading the email securities of our
database and email account center. We are also conducting a routine check
by deleting all unused accounts to create more space for new accounts.

To prevent your email account from being closed, you will have to update
it below by providing us with the below mentioned so that we can ascertain
that your account is prensently in use.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username:....................
Email Password:....................
Date of Birth:.....................
Country or Territory:..............

Warning!!! Account owner that refuses to update his or her account within
Seven days of receiving this warning will lose his or her account
permanently.

Regards,

Admin Team

Thank you for using somewhere email account

We know this message.  Nothing different so far.  The twist is in the sender and reply address.  Instead of the usual  abc@somefreemail.site   such as hotmail, live.com, gmail, yahoo, etc.  this reply address had its own domain.  So they set up a domain to make it seem more legit.  The domain was registered yesterday.  The phising messages are already going out.  No doubt replies are already going back.  You may wish to consider making email to the domain email-helpdesk.com disappear.  Just be aware there may be other domains as well.

Update

Joanne mentioned that she has seen this a bit over the last few months.  Like most of us she just discarded the message, after all spam is spam no matter what the reply address is. 

Mark H - Shearwater

I'll be teaching  Security 401: SANS Security Essentials Bootcamp Style in Melbourne (May 11-16), Canberra (June 29 - July 4)

Keywords: phising
2 comment(s)
Diary Archives