Author Topic: New year, new attacks against Adobe Zero-Day  (Read 6933 times)

0 Members and 1 Guest are viewing this topic.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
« Last Edit: January 05, 2010, 08:17:57 PM by Pondus »

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1936
  • Christian Geek - aka 'born again' Geek
Re: New year, new attacks against Adobe Zero-Day
« Reply #1 on: January 05, 2010, 07:54:24 PM »
Many people were expecting this to happen.

That flaw in Adobe is very severe...

Hope they fix it fast!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: New year, new attacks against Adobe Zero-Day
« Reply #2 on: January 05, 2010, 09:05:56 PM »
Hi malware fighters,

It is an advanced attack: http://isc.sans.org/diary.html?storyid=7867
Hackers are using it at the mo on the popular BitTorrent site IsoHunt.com,
block these from your OS: 193.104.22.0/24 and 89.149.236.46 this was already blocked 193.104.22.0/24

PDF-files have become the hacker-tool of sorts and this is proven by new advanced attack. The shellcode used in this attack was only 38 bytes large. While the same heap spraying technique has been used inside other exploits, the second part of the shellcode has been added as another object to the PDF document. At first the code seems to be corrupted, but then Adobe Reader will open the whole of the document into memory, as well as the corrupted code. According to Bojan Zdrnja the benefits for the attacker are crystal clear. He easily may change what the exploit is to perform, without the first part of the shellcode needs any change to it.

This will make automatic analysis with a Javascript Interpreting Tool for added malcoded JavaScript impossible. Research has found up two hidden binairies and also that the PDF doc has all aboard to take over a machine completely. No "extra's" are to be downloaded. "Not only is this an example of a malicious PDF-document with an advanced payload, but also to show to what trouble malcreants will go to circumvent detection from av vendors and victims alike", according to the ISC-handler,

polonus

P.S. Anyway Adobe is now going for silent uploads a la Google, hoping some added obscurity will add some added security. At the moment I hope they will patch this one soon. For a while I use an alternative reader...

Damian
« Last Edit: January 05, 2010, 09:16:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

YoKenny

  • Guest
Re: New year, new attacks against Adobe Zero-Day
« Reply #3 on: January 06, 2010, 02:08:16 AM »
Malwarebytes' Anti-Malware Full blocks 193.104.22.0/24 and 89.149.236.46   8)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: New year, new attacks against Adobe Zero-Day
« Reply #4 on: January 06, 2010, 08:00:17 PM »
Hi malware fighters,

Just follow the thread of my alter ego luntrus here:
http://forums.informaction.com/viewtopic.php?f=8&t=3529

Keep walking on your toes, even if you have the full protection of NoScript extension in Fx:
Quote
You can further harden this protection by checking NoScript Options|Embedded|Apply these restrictions to trusted sites as well, which will disable all the plugin content unless you specifically enable it by clicking on placeholders.

However nothing can protect you against social engineering attack, i.e. making you voluntarily open a certain PDF file either from a web page or from an email message,
according to NS developer Giorgio Maone.

Quote
Disable JavaScript in Adobe.
Update when they release the update.
(Keep on your toes for the next exploit against Adobe.)

http://blogs.adobe.com/psirt/atom.xml
Diasable JS in Foxit Reader as well: http://www.foxitsoftware.com/pdf/reader/

Forewarned is forearmed as always,

polonus aka luntrus aka Damian



Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: New year, new attacks against Adobe Zero-Day
« Reply #5 on: January 07, 2010, 04:48:22 PM »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: New year, new attacks against Adobe Zero-Day
« Reply #6 on: January 08, 2010, 08:06:29 PM »

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: New year, new attacks against Adobe Zero-Day
« Reply #7 on: January 08, 2010, 10:23:03 PM »
Quote
Crooks are once again exploiting the zero-day hole in Adobe Reader and Acrobat to install a remote-control Trojan on victim machines.
http://www.networksasia.net/content/new-year-new-attacks-against-adobe-zero-day

http://www.theregister.co.uk/2010/01/04/adobe_reader_attack/


Virus total
http://www.virustotal.com/analisis/40e22d52c00b76ad58c3c8daa644b7cfdc4f07a50718743f8e67e89bab386eab-1262612027


What is wrong with Adobe every time I go to the forum I see Adobe was attacked ....

Is it safe to use their products ?

YoKenny

  • Guest
Re: New year, new attacks against Adobe Zero-Day
« Reply #8 on: January 08, 2010, 10:34:33 PM »

What is wrong with Adobe every time I go to the forum I see Adobe was attacked ....

Is it safe to use their products ?


Do you like playing Russian Roulette?
http://www.youtube.com/watch?v=YXEm_Qi8Sgk

Joe S

  • Guest
Re: New year, new attacks against Adobe Zero-Day
« Reply #9 on: January 08, 2010, 11:33:51 PM »
When it comes to timely security updates Adobe is a disgrace it gets an F minus. I use Foxit reader whenever possible and only install Adobe Reader if it is required then uninstall it. I have run into software where the users manual only works with Adobe reader. What really sucks is that most sites are now full of Adobe Flash and there isn't a simple alternative replacement  that works.
Joe

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: New year, new attacks against Adobe Zero-Day
« Reply #10 on: January 08, 2010, 11:54:00 PM »

What is wrong with Adobe every time I go to the forum I see Adobe was attacked ....

Is it safe to use their products ?


Do you like playing Russian Roulette?
http://www.youtube.com/watch?v=YXEm_Qi8Sgk


Did I say something wrong?

CharleyO

  • Guest
Re: New year, new attacks against Adobe Zero-Day
« Reply #11 on: January 09, 2010, 12:17:30 AM »
***

No, you did not say anything wrong.

YoKenny was just suggesting that using Adobe products is like playing Russian Roulette.


***

Offline JuninhoSlo

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 849
Re: New year, new attacks against Adobe Zero-Day
« Reply #12 on: January 09, 2010, 12:35:51 AM »
***

No, you did not say anything wrong.

YoKenny was just suggesting that using Adobe products is like playing Russian Roulette.


***


Then it 's okay?  ;)   

Anyway I use Foxit for PDF files...It,s free :D