Email Login| Link Exchange | Cyber News | Phishing Attack | SQL Injection | SEO | DOS Attack | Hacking Tools | |Hacking Tricks | Penetration Testing | Trojans & Keyloggers |Hacking Videos | General Discussion | Website Hacking | Session Hijacking | Social Engineering | Anonymous Surfing | Recover Passwords | Bypass Firewall | Hacking Books | Network Sniffers | Password Cracking | Enumerating & Fingerprinting | Movies & Songs

Learn How to Hack

Click Here to Learn Ethical Hacking From Amarjit Singh & Ajay Anand

Monday, May 3, 2010

Adobe PDF unfixed flaw exploited by hackers

Several security companies warned of a major malware campaign that tries to dupe users into opening rigged PDFs that exploit an unpatched design flaw in the format

Users who open the attack PDFs are infected with a variant of a Windows worm known as "Auraax" or "Emold," researchers said.

The malicious messages masquerade as mail from company system administrators and come with the subject heading of "setting for your mailbox are changed," said Mary Grace Gabriel, a research engineer with CA Inc.'s security group. A PDF attachment purportedly contains instructions on how to reset email settings. "SMTP and POP3 servers for ... mailbox are changed. Please carefully read the attached instructions before updating settings," the message states.

In reality, the PDFs contain embedded malware and use the format's /Launch function to execute that malware on Windows PCs running the newest versions of the free Adobe Reader, Adobe's for-a-fee Acrobat and other PDF viewers, such as Foxit Reader.

The /Launch feature is not a security vulnerability per se, but actually a by-design function of the PDF specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how attack PDFs could use /Launch to run malware tucked into documents.

Two weeks ago, security researchers tracked a new run by the Zeus botnet that used the /Launch flaw to infect PCs.

Adobe has previously declined to answer questions on whether in-the-wild use of /Launch in rigged PDFs would prompt the company to update Reader and Acrobat, although it has said a change to the functionality might "conceivably [be made] available during one of the regularly scheduled quarterly product updates." Brad Arkin, Adobe's head of security and privacy, has acknowledged that one possible solution would be to disable the function; currently, it's turned on by default.

After analysing the attack PDF, other researchers found that hackers are using Stevens' tactic of modifying the warning that Reader and Acrobat display. Adobe Reader, for example, displays a message telling users to open only those files they know are safe. In the same Windows dialog box, Reader displays the filename of the file about to be launched. According to IBM Internet Security Systems researchers, hackers have modified the warning to simply read, "Click the 'open' button to view this document."

READ FULL ARTICLE HERE
|
Geared by Amarjit Singh
For more articles similar to this post visit @ Hacking News

0 Visitor Reactions & Comments:

Subscribe to: Post Comments (Atom)