There's a 0-Day PDF exploit taking advantage of a vulnerability found in Adobe Reader and Acrobat 9.2 and earlier. Adobe has issued an advisory on their PSIRT blog.
The screenshot below, pulled from our automation, shows that when the PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable file. The server has been abused but is currently active.
The executable that is downloaded searches for and encrypts certain files and then uploads them to another server. This server is currently online and its contents are publicly browsable.
The machine name and the IP address of the compromised machine are included.
Here's an example:
Based on the numbers of files found on the upload server, it appears that this exploit is only being used in targeted attacks.
But that could easily change…
Disabling Acrobat's JavaScript option may offer some mitigation.
Adobe is now on a scheduled quarterly update cycle, with security patches coming as needed on the same day as Microsoft's updates. It could be January 12th before Adobe publishes a fix.
We detect the following:
The exploit as Exploit:W32/AdobeReader.Uz. The downloaded file as Trojan-Dropper:W32/Agent.MRH. The dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK.
Updated to add: According to Contagio Malware Dump, some of the original targeted attack emails looked like this:
From: Rachel Millstone To: (redacted) Date: Dec 11, 2009 3:12 PM Subject: reference
Dear All Please find attached the updated country briefing notes, and staff lists.
kind regards Rachel
Attachment: note_20091210.pdf
From: fureer.angelica@gmail.com To: (redacted) Date: 2009-12-13 12:14 AM Subject: Interview Request
This is Fureer Angelica, diplomaic broadcaster for CNN in DC. There's growing concern about the U.S.-North Korea bilateral talks. So, we're planning an Interview about them. Attached is the outline of the interview.
p.s. Detailed schedules will be followed soon if you accept the offer.
Attachment: File outline_of_interview.pdf
From: jackr@gilbrooks.edu To: (redacted) Subject: reference Date: Mon, 30 Nov 2009 06:53:52 +0000
Dear All Please find attached the updated country briefing notes, and staff lists.
kind regards Jack
Attachment: note200911.pdf
—————
Updated to add: Adobe has published an updated Security Advisory. They plan to make an update available on January 12th.
