Sophisticated PDF exploit evades analysis

Discussion in 'malware problems & news' started by Rmus, Jan 4, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For those who use on-line analysis sites such as Wepawet to scan PDF files, the exploit identified last month is able to trick these tools which use a Javascript Interpreter:

    Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
    http://isc.sans.org/diary.html?storyid=7867

    From the analysis, we learn that the malicious executable is embedded in the PDF file, meaning that a connection out to another server is not required.

    Also:

    Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas from (for) Taiwan ? :)
    http://extraexploit.blogspot.com/search/label/CVE-2009-4324

    In this case any anti-execution protection will catch the embedded executable when it attempts to run.

    While these are "targeted"attacks -- sent usually to specific institutions/companies -- it's wise to be prepared:

    Adobe has announced a patch for January 12.

    Again, from Sans.org:
    ----
    rich
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Jan 7, 2010
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  4. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Thanks for the article, I got such one PDF someday ago, which wasnt detected by wepawet but got detected but Prevx successfully detected the file. VT result was 0/40.
     
Loading...
Thread Status:
Not open for further replies.