THIS BLOG HAS MOVED
PLEASE UPDATE YOUR BOOKMARK
www.pccybertek.com
Thanks to blogger for hosting me all these years
I just wanted to move to the next level and host my blog
on my own host
March 1, 2009
February 24, 2009
Adobe Acrobat Reader Vulnerability & Fix
It has been recently disclosed that Adobe Acrobat Reader is vulnerable to a virus attack. Known as Adobe Reader PDF File Handling Remote Code Execution Vulnerability. A .pdf file, which is what you are reading with acrobat, is created with some code in it that uses java to exploit your computer.
After checking the usual exploit sites, I found several versions of this attack and proof of concepts. I tested them against several anti virus programs, and so far none of them detect it. I believe it is because of the way this attack is implemented. And I don't think they will detect it since it's not an "infected" file but a .pdf document. I could be wrong about this and maybe there will be some anti virus software that will detect it. Let me clarify this. The exploits I found were not detected. There is a trojan going around, called Pidief.E, which uses this vulnerability to install a second piece of malware. This second piece of malware takes screen shots and installs a keylogger. The screen shots and what you have typed on your computer are uploaded somewhere so the bad guys can go through it, and look for user names, passwords, credit card numbers, etc.
This particular malware can be detected, it's the others that are out there that are worrisome.
I was more concerned with finding a fix now, because Adobe has said the flaw will be closed by March 11th, through updates to Acrobat Reader 9. Updates for earlier versions will be released later.
For now I have found to fixes. The first is a "homebrew" patch from soucerfire and can be found here. While I applaud their efforts, replacing the .dll file with their patch could have unknown results. The second fix, which I have been implimenting all day it work today, is to disable java script in acrobat reader. This is easy enough to do. Simply run Adobe Acrobat Reader. Select edit and go down to teh bottom and select prefrences. Once prefrences is open, you will see JavaScript on the left side, under catagories. After you have selected JavaScript, you will see your options on the right. The first box that is checked says Enable Acrobat Java Script. Just uncheck this box, and you are done.
If you open a .pdf file in the future and it asks you to re-enable java script, be sure to tell it no. And be sure to update Acrobat Reader when Adobe does post the update.
After checking the usual exploit sites, I found several versions of this attack and proof of concepts. I tested them against several anti virus programs, and so far none of them detect it. I believe it is because of the way this attack is implemented. And I don't think they will detect it since it's not an "infected" file but a .pdf document. I could be wrong about this and maybe there will be some anti virus software that will detect it. Let me clarify this. The exploits I found were not detected. There is a trojan going around, called Pidief.E, which uses this vulnerability to install a second piece of malware. This second piece of malware takes screen shots and installs a keylogger. The screen shots and what you have typed on your computer are uploaded somewhere so the bad guys can go through it, and look for user names, passwords, credit card numbers, etc.
This particular malware can be detected, it's the others that are out there that are worrisome.
I was more concerned with finding a fix now, because Adobe has said the flaw will be closed by March 11th, through updates to Acrobat Reader 9. Updates for earlier versions will be released later.
For now I have found to fixes. The first is a "homebrew" patch from soucerfire and can be found here. While I applaud their efforts, replacing the .dll file with their patch could have unknown results. The second fix, which I have been implimenting all day it work today, is to disable java script in acrobat reader. This is easy enough to do. Simply run Adobe Acrobat Reader. Select edit and go down to teh bottom and select prefrences. Once prefrences is open, you will see JavaScript on the left side, under catagories. After you have selected JavaScript, you will see your options on the right. The first box that is checked says Enable Acrobat Java Script. Just uncheck this box, and you are done.
If you open a .pdf file in the future and it asks you to re-enable java script, be sure to tell it no. And be sure to update Acrobat Reader when Adobe does post the update.
February 10, 2009
gif Virus?
Up until now, you didn't have to worry about graphics being a virus. Then I came across this at the Internet Storm Center over at sans.org
.gif Files Presenting a Not so Pretty Picture
Published: 2009-02-07,
Last Updated: 2009-02-07 21:51:03 UTC
by Tony Carothers (Version: 1)
0 comment(s)
A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:
"The *.gif files were found the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it.
The *.out files are the result of applying scrdec to the gifs to reveal the encoded script.
It appears to:
(1) copy itself somewhere as 'sys.jse'
(2) add itself to a Run key in the registry
(3) (a) fetch the index to 4chan's /b forum
(b) download the first image
(c) save it as 'j.jse'
(d) attempt to run 'j.jse'
(4) construct a POST request containing the image as payload
(5) upload itself as a new post on 4chan
(6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."
To the subscriber who did the legwork on tihs one, my thanx for the excellent work
(View the original post here)
So after reading this, I see it's not so bad. Basically, you will have to rename and run the file. So you don't have to worry about .gif files being a virus at this time. However it did bring a good point to mind, that I thought I would share. You should never have to change the extension, or the last 3 letters after the dot in a file name. For eample, something.gif to something.com or something.exe or anything like that. If you are asked to do so, it's a very good chance that it could be, to get you to install something, without you knowing.
.gif Files Presenting a Not so Pretty Picture
Published: 2009-02-07,
Last Updated: 2009-02-07 21:51:03 UTC
by Tony Carothers (Version: 1)
0 comment(s)
A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided:
"The *.gif files were found the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it.
The *.out files are the result of applying scrdec to the gifs to reveal the encoded script.
It appears to:
(1) copy itself somewhere as 'sys.jse'
(2) add itself to a Run key in the registry
(3) (a) fetch the index to 4chan's /b forum
(b) download the first image
(c) save it as 'j.jse'
(d) attempt to run 'j.jse'
(4) construct a POST request containing the image as payload
(5) upload itself as a new post on 4chan
(6) point an instance of IE at site it came from
(3)-(6) are in an infinite loop."
To the subscriber who did the legwork on tihs one, my thanx for the excellent work
(View the original post here)
So after reading this, I see it's not so bad. Basically, you will have to rename and run the file. So you don't have to worry about .gif files being a virus at this time. However it did bring a good point to mind, that I thought I would share. You should never have to change the extension, or the last 3 letters after the dot in a file name. For eample, something.gif to something.com or something.exe or anything like that. If you are asked to do so, it's a very good chance that it could be, to get you to install something, without you knowing.
Subscribe to:
Posts (Atom)
Posts
