Adobe Reader 9 and Acrobat 9 zero day exploited in the wild

Yesterday, Adobe confirmed the existence of a critical vulnerability affecting Adobe Reader and Acrobat versions 9.0 and earlier, originally detected by the Shadowserver Foundation last week.

The onging targeted attacks have since been confirmed by both, Symantec and McAfee urging users to disable JavaScript in Adobe Reader and Acrobat until Adobe issues a patch on the 11th of March in the following way - Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript.

Symantec’s comments on the potential for massive attacks using the exploit:

So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.

While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations—for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.

For the time being, cybercriminals chose to generate less noise by launching targeted attacks just like they did earlier this week using IE7’s MS09-002 vulnerability. However, as we’ve previously seen it’s only a matter of time until copycat attackers start using it on a large scale.

With several targeted campaigns currently active, what are the chances that a sample malware campaign would be once again monetizing infected hosts by infecting them with rogue security software similar to Conficker’s first release? Huge.

Upon analyzing the binary served once an infected host gets successfully exploited from a sample campaign, it’s attempting to trick the user into install the very latest rogue security software Spyware Protect 2009. The cute part is that the cybercriminals didn’t manage to successfully configure their campaign resulting in a 404 error.

What’s important to point out is that the original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider ( with more details about its owner available in a related BusinessWeek article.

[Source: zdnet]