Tuesday, February 19, 2013

New Zero-day vulnerabilities in Adobe PDF

Symantec Corp. has detected an Internet activity, operating new zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) in products Adobe Reader and Adobe Acrobat XI and earlier.

Adobe has not yet released a patch for this vulnerability, but has issued recommendations to counter their attacks exploiting. Solution for virus protection at mail servers Symantec Mail Security provides protection against these attacks, preventing the download of malicious PDF-files.

Initially, the online community was based on the report on the new 0-day vulnerability, published by FireEye. It was reported that as a result of its successful operation on the computer have been downloaded more files. Symantec expert analysis confirms this possibility.

Attack, steps shown above, is as follows:

- Malicious PDF-file sets the DLL-library called DT;
- DT decodes and installs DLL-library called L2P.T;
- L2P.T creates a startup registry keys on the computer and load the library loader LangBar32.dll;
- LangBar32.dll a malicious server to download additional malware with backdoor and keylogger functionality.

In these phases of attack Symantec products identified as malware and Trojan.Pidief Trojan.Swaylib (initially - as Trojan Horse). In addition, in order to identify the exploit was released additional definition (signature) to Intrusion Prevention Systems (IPS) Web Attack: Malicious PDF File Download 5.

Further investigation revealed that the PDF-file, used in the attack is neutralized product Symantec Mail Security, and used in the attack PDF-files are identified by cloud detection technology as Symantec WS.Malware.2.


No comments:

Post a Comment