Adobe Acrobat Hit Again

It’s true.

Adobe Acrobat is vulnerable once again. This is getting ridiculous. They have enough money to buy up software companies but yet they can’t invest the time and money to harden their existing products?

They worked so hard to get everyone to use their software. It’s standard on computer installs now. Who doesn’t have Adobe Acrobat Reader on their computer?

With this latest “hole”, I’ve started looking for alternatives and I’ll let you know if and when I find one. But in retrospect, I’d rather stay with a company that is solidly locked into the software market and has a lot to lose if they don’t fix their vulnerabilities, than one that might be a fly-by-night company and leaves me standing out in the cold.

Many in the security community have even coined an acronym for this scenario – YAPE (Yet Another PDF Exploit). You know things are bad when the security community assigns an acronym to it.

Adobe is again recommending that you disable Javascript in Adobe Acrobat. If you followed my instructions last time, you still have Javascript disabled so you’re safe. If for some reason, you didn’t read my last warning about Adobe Acrobat here are the steps to follow:

To turn off Javascript follows these steps:

  1. Launch Adobe Acrobat Reader
  2. Select Edit -> Preferences
  3. Select the Javascript category
  4. Uncheck the “Enable Acrobat Javascript” option
  5. Click “Ok”

It begs the question, “Why does anyone need Javascript in a reader for locked files anyway?” To me, it’s technology looking for a reason.

When Adobe first introduced the Javascript ability, I looked for a way to turn it off. I don’t need it. I don’t want something in my software that allows other people to control what I’m doing.

As of this writing, Adobe is working on a patch. All versions of Adobe Acrobat, on every platform; Mac, Linux and Windows are vulnerable.

I will keep you updated on this situation or you can follow it on Adobe’s website here:

As always, I recommend you apply the patch as it becomes available as this exploit will allow an attacker to remotely execute commands on your computer and the exploit code is already available.

Our honeypots have not detected any new waves of infectious PDFs in the wild – yet. But sure as, well you know, they will be forth coming.

Please feel free to pass the link to this posting to your friends and family.


Malicious PDF's being sent

In the past 2 days we’ve been picking up malicious Adobe Acrobat files also known as PDF’s (the file extension on these files).

We received these files in our honeypots as email attachments and when clicked on they infect Windows XP SP3 systems with Adobe Acrobat 8.1.1, 8.1.2, 8.1.3 and 9.0.0. It appears that disabling JavaScript in your Adobe Acrobat Reader will eliminate the threat that this attack exploits.

To disable JavaScript in Adobe Acrobat Reader, open the program, click on Edit->Preferences->JavaScript then uncheck Enable Acrobat JavaScript. You may experience some program crashes even with JavaScript disabled, however, you will not become infected.

When a computer is infected, it will have these additional files:

  1. temp/svchost.exe
  2. temp/temp.exe
  3. system32/(8 random characters).dll

In addition the infected computer will open a backdoor that will allow the cybercriminal to remotely control the PC (it will become part of a botnet)

Of course, if you’re security system is blocking “exe” downloads from non-whitelisted sites, you don’t have worry about this. (The Box does)


Halloween Costumes and SEO

Not to be left out of the upcoming festivities, hackers are using SEO to infect more people with their fake Anti-virus programs.

For the past week we’ve been monitoring 2 current events – Halloween and the financial crisis.

What we’ve seen is that hackers are infecting legitimate websites that show up in the SERPs when “halloween costume” is the the search term. Their infection includes some javascript that does a silent redirect to one of their websites which falsely shows the visitor that their computer might be infected and they should download “their” anti-virus software to improve the speed of the visitor’s computer.

The thing is, the infection of the legitimate website is a silent redirect that actually includes the keywords optimized for high SE rankings. So the hacker is actually making the infected webpage rank higher in the search engines. They actually use common SEO techniques to attract more people to their infectious webpages.

Another thing we’ve seen and has been confirmed by Panda Labs is the correlation between down days in the stock market and the amount of new malware released. As the market dips, the number of infectious files increases. We’ve been noticing this on our honeypots (computers we leave open on the Internet hoping they’ll get infected so we can further analyze the infection)

This kind of runs parallel with the halloween costume scenario. What the hackers are doing during the dips in the market are making “available” their rogue (read fake) anti-malware software via various infected webpages.

Instead of going after banking logins and other such useful information they’re (the hackers) interested in “legitimitizing” their business by selling their rogue anti-malware. First they have to convince the visitor that their computer is infected, then they offer an immediate solution.


Following standard marketing strategies, the hackers are actually making the visitor aware of a need and then offering a quick solution – for $60.

According to Panda Labs, they estimate that this marketing strategy has made the hackers approximately $14 million a month. I’m not sure I follow their math, but regardless, the hackers are making money.

I believe that the financial crisis is creating more fear about identity theft and therefore making this strategy more effective during the down cycles in the market.

Just so you know, our honeypots are fed popular keywords based on current events and then they visit the resulting webpages, record the activity and that’s what we base our information on.

It’s a fun way of spying on the hackers and it’s what we use in our securitiy appliance “The Box” to blacklist websites and malicious code. It’s what we use in WeWatchYourWebsite to find malicious code. We then search all of our clients websites looking for this malicious code. If any is found, we alert them immediately.

Be careful out there. It’s getting real nasty.