Sophisticated PDF exploit evades analysis

For those who use on-line analysis sites such as Wepawet to scan PDF files, the exploit identified last month is able to trick these tools which use a Javascript Interpreter:

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
http://isc.sans.org/diary.html?storyid=7867

From the analysis, we learn that the malicious executable is embedded in the PDF file, meaning that a connection out to another server is not required.

Also:

Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas from (for) Taiwan ?
http://extraexploit.blogspot.com/search/label/CVE-2009-4324

In this case any anti-execution protection will catch the embedded executable when it attempts to run.

While these are "targeted"attacks -- sent usually to specific institutions/companies -- it's wise to be prepared:

Adobe has announced a patch for January 12.

Again, from Sans.org:

----
rich

 

There is a temporary fix, if you choose to implement it.
http://kb2.adobe.com/cps/532/cpsid_53237.html

Disable javascript until Adobe releases an official patch as you site.

Adobe will address these issues as of the below bulletin.
http://www.adobe.com/support/security/bulletins/apsb10-02.html

 

Picked up a UNh.pdf which I uploaded to Wepawet and ran sandboxed with interesting results.
http://wepawet.cs.ucsb.edu/view.php?hash=e105b9171c380fe5c284b52fe83cce1f&type=js

 

Thanks for the article, I got such one PDF someday ago, which wasnt detected by wepawet but got detected but Prevx successfully detected the file. VT result was 0/40.