New Adobe 0-day exploit (Dec 16, 2009)

By

SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-4324) in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild via malicious PDF files starting Monday, December 14, 2009. Adobe confirmed the vulnerability on December 15, 2009 and released a security advisory which can be found here.

Malicious PDF files are being spammed via e-mail in a series of targeted attacks starting early December, 2009. The e-mail attachment contains the malicious PDF exploit file. The sample e-mail messages look like below:

Subject:

  • reference
  • Interview Request

Attachment:

  • note_20091210.pdf
  • outline of interview.pdf

Email Body #1:
————————
Dear All

Please find attached the updated country briefing notes, and staff lists.

Kind regards
Jack
————————

Email Body #2:
————————
This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There’s growing concern about the U.S.-North Korea bilateral talks.
So, we’re planning an Interview about them.
Attached is the outline of the interview.

p.s. Detailed schedules will be followed soon if you accept the offer.
————————

The specially crafted PDF file has a malicious executable file (name – AdobeUpdate.exe) embedded inside PDF flatedecode stream. When the victim opens the PDF file it performs following activities:

  • Exploits the vulnerability in Adobe Reader and executes the embedded malicious executable file.
  • Malicious executable file is dropped and executed from – (TEMP FOLDER)AdobeUpdate.exe [Detected as GAV: Genome.AAWD (Trojan)]
  • The executable further attempts to download another malware from:
    • foruminspace.com/document(REMOVED).exe [Detected as GAV: Tapaoux.A (Trojan)]

There is no patch currently available from the vendor and the only way to mitigate this vulnerability is to disable the JavaScript option inside Adobe Reader and Acrobat.

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Suspicious#exepdf (Worm) signature. SonicWALL also provides protection via IPS: PDF File with Javascript 1 and IPS: PDF File with Javascript 2 signatures.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.