Adobe PDF exploit emails in the wild

[InvisiBill]

FYI, I just got an email with an infected attachment. https://www.virustotal.com/file-sca...b28d7af750d4dc00df8b496cfcf8820212-1301053048 Currently only MS and AntiVir are actually detecting it.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Pdfjsc

Win32/Pdfjsc is the detection for a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. These files contain a JavaScript that executes when the file is opened.

The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files detected as Exploit:Win32/Pdfjsc may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.

http://www.adobe.com/support/security/advisories/apsa11-01.html is Adobe's page about the vulnerability.
Adobe recommends users update to Adobe Flash Player 10.2.153.1 (Adobe Flash Player 10.2.154.25 for Chrome users).
Adobe recommends users update to Adobe Acrobat 9.4.3 or Adobe Acrobat X 10.0.2.

The email that I got looked like this, and had "OrderN25031135.pdf" attached.

Subject: Your Order No 461316 | Puremobile Inc.
Date: Fri, 25 Mar 2011 05:04:45 -0400
From: PuremobileInc. <[email protected]>

Thank you for ordering from Puremobile Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is 18105.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 645.00 USD
and "Puremobile Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

Puremobile Inc.

I haven't had much time to dissect the PDF yet, but you should avoid opening these files if you use Adobe PDF products.

 

[adam30k]

Malware just gets more and more frustrating..

This can be kind of a noob question but do you get a benefit when it comes to malware from using non Adobe PDF software/plugins? I know any software can be exploited, to an extent, but are there exploits with Adobe PDF that would not effect say CutePDF, Sumatra or others? Is the answer, "it depends"?

 

[mngl1500]

I'd like to know what version of Adobe Acrobat you are using since Adobe Acrobat 10 is sandboxed.

 

[InvisiBill]

Malware just gets more and more frustrating..

This can be kind of a noob question but do you get a benefit when it comes to malware from using non Adobe PDF software/plugins? I know any software can be exploited, to an extent, but are there exploits with Adobe PDF that would not effect say CutePDF, Sumatra or others? Is the answer, "it depends"?

I guess the 100% correct answer is "it depends". It's like IE and Firefox - as they're both web browsers, they do similar things and therefore could contain similar code. A vulnerability based on the concept of how something is handled (like IDNs and such) could easily affect a number of browsers. However, each program is written in different ways by different people, so something like a buffer overflow (caused by the code not properly validating input) is unlikely to occur in both browsers at exactly the same place.

Only Adobe products are listed as being vulnerable (http://www.securityfocus.com/bid/46860), so in this case using an alternate PDF program should protect you. Other programs could have similar vulnerabilities just due to similar bugs in those programs' code, but they'd be more likely to share a vuln based on some concept inherent in the PDF format.

I'd like to know what version of Adobe Acrobat you are using since Adobe Acrobat 10 is sandboxed.

I'm not using any Adobe products myself. Reader X's sandboxing does mitigate this issue, but a number of other Adobe products are vulnerable. Adobe Flash Player 10.2.154.18, Adobe Acrobat (Standard and Professional) 10.0.1, Adobe AIR 2.5.1, and Adobe Reader 10.0.1 for example...

 

[hawk82]

Reader X + disable Javascript in the Reader + enable automatic updates in Reader. I have yet to hear from one of my clients that had an issue with a good PDF failing to work properly.

I recall reading awhile back that Foxit has some security vulnerabilities. Not sure if it was the same ones Adobe. Foxit also adopted a "sandbox" model or something they call Safe Browsing.

As for Adobe Flash yeah keep that updated too. One of these days I'll come up with the appropriate logon scripts to force installation of Flash updates on my clients workstations.

 

[dashpuppy]

Thanks for the info and link... looks like a old virus tho.


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Win32/Pdfjsc


Maybe you can forward me the email to my email so i can see if my sonicwall will pick it up or block it