When I read this blog entry a few days ago, the first question that entered my head was, “Is this another targeted attack?”. I took a look at the .PDF discussed in the entry and it appeared to be a document addressed to employees of a certain defense contractor. Trend Micro products detect this malicious .PDF as TROJ_PIDIEF.EGG. Below is a screenshot of the survey.
This .PDF exploit technique is similar to other commonly-used exploits. It contains a malicious JavaScript which executes a shellcode that decrypts and installs an embedded binary in the PDF. Below is the embedded binary, which is detected by Trend Micro as BKDR_SYKIPOT.B.
Trend Micro protects its customers from this attack via the Trend MicroT Smart Protection NetworkT infrastructure by blocking all related files and URLs.
Threat Discovery Appliance (TDA) is also able to detect traffic related to the malicious sites through TDA Rule 18 NCCP – 1.11525.00, while Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in provides protection through the following rules:
- 1004871 – Adobe Acrobat Reader U3D Component Memory Corruption Vulnerability (CVE-2011-2462)
- 1004873 – Adobe Acrobat Reader U3D Component Memory Corruption (CVE-2011-2462)
Users can remain informed by taking a look at the Adobe security advisories page for more information on this zero-day vulnerability.
Leave a reply
