PDF expolit?

Discussion in 'NOD32 version 2 Forum' started by Biscuit, Oct 24, 2007.

Thread Status:
Not open for further replies.
  1. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
  2. ASpace

    ASpace Guest

    You'd better kill that Adobe and use Foxit Software products:
    http://www.foxitsoftware.com/

    Smaller company , Smaller products , Ligher products , NO DINOSAURUS files , the free Reader is only 4 Mbs and one exe file only (not 120+ Mb like Adobe Reader 8 ) . Advise your clients on it , too.

    Smaller company , less exploitable (in case something comes up)


    And on the topic , I don't know.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
  4. sasa843

    sasa843 Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    113
    Location:
    Serbia, Europe
    Hi.

    I think this is ESET signature for that exploit dated on October 23.

    PDF/Exploit.Shell.A
     
  5. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
    Thanks Guys

    Hitech - I tried Foxit but didn't like it. I found it displayed a PDF file with noticeably reduced quality.
     
  6. ASpace

    ASpace Guest

    May just a little bit worse than Adobe . I simply got tired of Adobe's dinosaurus programs and numerous updates (especially after v8 )
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    :thumb: Yup...very light program, opens in the blink of an eye. I've started detesting Adobes Acrobat when version 6 came out...and those glacially long "opening" times..especially when opening a PDF through your web browser.

    And nagging updates.
     
  8. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    another vote for Foxit. Acrobat has become the perfect example of bloated software, absolutely dreadful program now.

    If I have to use Acrobat I download one of the earlier versions from oldversion.com
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Apparently that signature doesn't catch all variants, as NOD32 misses the sample I have.
     
  10. DennisTh

    DennisTh Registered Member

    Joined:
    Oct 18, 2007
    Posts:
    9
    +1 on Foxit. Not only is it faster and much lighter, it's not near as "network busy". We've been using it for over a year and have had zero problems. :cool:
     
  11. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Foxit is really good, but for some that might not be an option. There are several features of acrobat that foxit doesn't support, but for most users that only need to read some simple pdf's it's a very good option. I have to use acrobat 8.x for that reason and even if huge it takes about 1 second to start (a bit longer the first time after a reboot) so it's not that bad to use. I found version 7 to be much slower.
    So i would also find it interesting to know if nod32 protect against this exploit and a recommendation for other programs is really not interesting at all. I do believe that the latest update from Adobe fixed that exploit though.
     
  12. sasa843

    sasa843 Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    113
    Location:
    Serbia, Europe
    According to virustotal screenshot apparently yes, it doesn't detect all variants. Maybe they will add some sort of generic signature for this exploit in the near feature.
     
  13. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
  14. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
  15. TaInTeD_SnIpEr

    TaInTeD_SnIpEr Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    33
  16. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
  17. ASpace

    ASpace Guest


    Which is one more reason I would get rid of Adobe :thumb:
    This is ridiculous - release a vulnerable patch :D :D :D
     
  18. oldshep

    oldshep Registered Member

    Joined:
    Dec 19, 2006
    Posts:
    139
    I don't think you are correct in saying the patch is vulnerable. If you read the article provided by dannyboy closely, it appears that the new PDF exploit uses the problem fixed by the patch - trying to infect folks before they update Acrobat reader to the new version 8.1.1.

    From the article:
    "Adobe issued a patch this past week and the first thing Russian criminals did was examine it, extract the problem it fixes, and have now unleashed a flood of PDF spam with an exploit in it that will install rootkits and Trojans on your computer."

    ...

    "Adobe fixed the flaw Monday and released Acrobat Reader 8.1.1, and the company is working to fix the 7.0.x version as well."


    ...

    "Dunhan said the exploit emerged in the wild of the Internet within a day of Adobe issuing its patch and they are counting on considerable lag between the release of the patch and individuals updating their computers."
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Patches may introduce/reopen vulnerabilities. But, you misunderstood the article. It says that malware writers have reverse engineered the patch to see what it's fixing. Then, they release the exploit code and bet on unpatched machines, which are going to be a lot. Very few people keep third-party applications up-to-date.
     
  20. ASpace

    ASpace Guest

    You are right . I apologise :thumb:
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    No need to apologize :)
     
  22. oldshep

    oldshep Registered Member

    Joined:
    Dec 19, 2006
    Posts:
    139
    For those interested in a simple method of keeping third party apps up to date, you might try the Secunia Software Inspector site:

    http://secunia.com/software_inspector/
     
  23. net1

    net1 Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1
    Current NOD32 2621 (2007.10.2:cool: still can not detect

    Sample file has been sent.

    ~ VirusTotal screenshot removed per this Policy. Please submit infected files to samples[at]eset.com. - snapdragin ~
     
    Last edited: Oct 28, 2007
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Bloated is an understatement to say the least, and whats worse is it continues to swell with each new version :ouch:

    Might be the reason i reverted all the way back to Reader v.5 :cool:

    Seems these malware exploiters focus mostly on the latest releases anyway especially if they even go after the patches?
     
  25. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    how do PDF's print - after all,that's their PURPOSE originally - their web use is secondary and quite honestly a pain
     
Thread Status:
Not open for further replies.