Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Adobe Reader exploit in the wild - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Reader exploit in the wild

The Adobe Reader vulnerability (see previous ISC post) is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified.

The first and only public report (till now) is available from an Italian Forum (original post in Italian), and was posted on January, 20. See image here (from the original forum post) for more file details.

If you see other incidents exploiting this, please, let us know.

UPDATE 1

VeriSign - iDefense sent us some additional information.  Here is what they told us:

VeriSign - iDefense is observing exploitation of a recently patched vulnerability in Adobe Acrobat Reader. This vulnerability was discovered by Greg McManus of iDefense Labs and reported to Adobe in October 2007.

Since January 20, 2008 banner ads are actively serving malicious PDF files that exploit the vulnerability and install the Zonebac Trojan.  Once installed the Trojan kills various anti-virus products and modifies search results and banner ads. 

Until 2 days ago, this attack did not have a patch available while being actively exploited in the wild.  A similar attack occurred in October 2007 when the same group used a Realplayer 0-day exploit to install the Zonebac Trojan.

No anti-virus vendors currently detect the malicious PDF files though we have provided samples to all.  This type of exploit works for both web browser and email attack vectors.  Exploitation affects all 7.x versions of Adobe Acrobat Reader and versions prior to 8.1.2.  Complete mitigation requires upgrading to Adobe Acrobat 8.1.2.

Vulnerability Timeline:

*     Adobe Reader Buffer Overflow Vulnerability (iDefense orig.) (ID#464641, Oct. 10, 2007)

*     Virus Report (http://www.pcprimipassi.it/servizifree/forum/forum_posts.asp?TID=10066, Jan. 20, 2008)

*     Adobe Acrobat 8.1 Undisclosed Buffer Overflow Vulnerability (ID#467355, Feb. 6, 2008)

*     Immunity POC Exploit (http://www.immunityinc.com/partners-index.shtml, Feb. 6, 2008)

*     Adobe Reader Vulnerability Exploitation in the Wild (ID#467384, Feb. 8, 2008)

*     Adobe Security Advisory APSA08-01  (http://www.adobe.com/support/security/advisories/apsa08-01.html, Feb. 7, 2008)

*     iDefense Receives Hostile PDF Sample (Feb. 7, 2008)

*     iDefense Customer Notification (ID#467398, Feb. 8, 2008)

Additional details: 

1c130a41aa6866bc081cf096bbd08da3 1.pdf
68b804a8463c9261b991f1c92e05f801 b.pdf

The Zonebac trojan communicates with the following URLs:

A.doginhispen.com
B.skitodayplease.com

We ran "1.pdf" through VirusTotal and got these results.  Pretty scary!


--Raul Siles
www.raulsiles.com

 

Raul Siles

152 Posts

Sign Up for Free or Log In to start participating in the conversation!