Sophisticated PDF exploit evades analysis

Discussion in 'malware problems & news' started by Rmus, Jan 4, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    For those who use on-line analysis sites such as Wepawet to scan PDF files, the exploit identified last month is able to trick these tools which use a Javascript Interpreter:

    Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
    http://isc.sans.org/diary.html?storyid=7867

    From the analysis, we learn that the malicious executable is embedded in the PDF file, meaning that a connection out to another server is not required.

    Also:

    Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas from (for) Taiwan ? :)
    http://extraexploit.blogspot.com/search/label/CVE-2009-4324

    In this case any anti-execution protection will catch the embedded executable when it attempts to run.

    While these are "targeted"attacks -- sent usually to specific institutions/companies -- it's wise to be prepared:

    Adobe has announced a patch for January 12.

    Again, from Sans.org:
    ----
    rich
     
  2. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Jan 7, 2010
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  4. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    746
    Thanks for the article, I got such one PDF someday ago, which wasnt detected by wepawet but got detected but Prevx successfully detected the file. VT result was 0/40.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.