The Latest in IT Security

Adobe Zero-day Vulnerability Installs Backdoor – Another Targeted Attack?

15
Dec
2011

When I read this blog entry a few days ago, the first question that entered my head was, “Is this another targeted attack?”. I took a look at the .PDF discussed in the entry and it appeared to be a document addressed to employees of a certain defense contractor. Trend Micro products detect this malicious .PDF as TROJ_PIDIEF.EGG. Below is a screenshot of the survey.

It appears to me that cybercriminals are specifically targeting the employees of this defense contractor in order to obtain information about the company and possibly its clients as well. I also learned that their customers include many high-profile federal government agencies.

This .PDF exploit technique is similar to other commonly-used exploits. It contains a malicious JavaScript which executes a shellcode that decrypts and installs an embedded binary in the PDF. Below is the embedded binary, which is detected by Trend Micro as BKDR_SYKIPOT.B.

Users who seldom check the running processes in their computers probably won’t notice the backdoor pretty.exe in the background. It doesn’t exhibit any destructive behavior, but if the backdoor connection is successful, a remote user could gain control over the infected system and cause a lot more damage including downloading more malicious files and a system reboot, to name a few.

Trend Micro protects its customers from this attack via the Trend MicroT Smart Protection NetworkT infrastructure by blocking all related files and URLs.

Threat Discovery Appliance (TDA) is also able to detect traffic related to the malicious sites through TDA Rule 18 NCCP – 1.11525.00, while Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in provides protection through the following rules:

  • 1004871 – Adobe Acrobat Reader U3D Component Memory Corruption Vulnerability (CVE-2011-2462)
  • 1004873 – Adobe Acrobat Reader U3D Component Memory Corruption (CVE-2011-2462)

Users can remain informed by taking a look at the Adobe security advisories page for more information on this zero-day vulnerability.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments