Hi malware fighters,
It is an advanced attack:
http://isc.sans.org/diary.html?storyid=7867Hackers are using it at the mo on the popular BitTorrent site IsoHunt.com,
block these from your OS: 193.104.22.0/24 and 89.149.236.46 this was already blocked 193.104.22.0/24
PDF-files have become the hacker-tool of sorts and this is proven by new advanced attack. The shellcode used in this attack was only 38 bytes large. While the same heap spraying technique has been used inside other exploits, the second part of the shellcode has been added as another object to the PDF document. At first the code seems to be corrupted, but then Adobe Reader will open the whole of the document into memory, as well as the corrupted code. According to Bojan Zdrnja the benefits for the attacker are crystal clear. He easily may change what the exploit is to perform, without the first part of the shellcode needs any change to it.
This will make automatic analysis with a Javascript Interpreting Tool for added malcoded JavaScript impossible. Research has found up two hidden binairies and also that the PDF doc has all aboard to take over a machine completely. No "extra's" are to be downloaded. "Not only is this an example of a malicious PDF-document with an advanced payload, but also to show to what trouble malcreants will go to circumvent detection from av vendors and victims alike", according to the ISC-handler,
polonus
P.S. Anyway Adobe is now going for silent uploads a la Google, hoping some added obscurity will add some added security. At the moment I hope they will patch this one soon. For a while I use an alternative reader...
Damian