Targeted emails exploit new Acrobat Reader vulnerability

Filed Under: Featured, Malware, Vulnerability

Targeted computerEarlier this week Adobe warned users of their nearly ubiquitous Adobe Reader software of a new zero-day vulnerability being exploited in the wild.

They are working on making a patch available for Adobe Reader 9 no later than the week of December 12th, but will not be fixing the flaw in Reader X until January 10th, 2012.

Why the delay for Reader X? Adobe's Brad Arkin explained in a blog post that the "Protected Mode" sandbox functionality introduced in Reader X prevents the exploit from successfully infecting Windows PCs.

I spoke with Brad Arkin back in October and he discussed some of the security initiatives ongoing at Adobe, including the fact that to date no malware has yet escaped from Adobe Reader X's sandbox.

(4 October 2011, duration 23:07 minutes, size 15.8 MBytes)

We have started seeing a small number of targeted samples in SophosLabs of attackers trying to use this vulnerability (CVE-2011-2462/APSA11-04) in email attachments.

The emails are well crafted and look very believable. The sample I have been analyzing appears to come from Barclay's bank in New York City.

The body reads quite simply:

All,

Please find attached this week's Barclays Capital U.S. Financial Sponsors Newsletter.

Thanks,
Safwan

Email containing Adobe Reader zero day exploit

The email has an attachment titled "Barclays Capital Financial Sponsors Weekly Newsletter.pdf" which is designed to exploit CVE-2011-2462. Other similar emails have been seen in the wild pretending to be from other reputable organizations.

If the attachment is opened in Adobe Reader 9 or earlier it drops three files d3d8caps.dat, AcrA2CA.tmp and dump.exe.

Dump.exe is a downloader that attempts to retrieve a further payload. We were not able to retrieve the malware that this malware is designed to retrieve yet, if we are successful I will post an update.

Strangely looking at the strings inside of the exploit PDF we see an interesting identifier. The author value in the PDF is set to:

"Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)".

As Brad Arkin states in his blog, if you are a user of Adobe Reader on Windows and haven't upgraded to Reader X yet, now would be a great time.

Sophos customers are proactively protected from this malware by Exp/20112462-A and the downloader is detected as Mal/Dotter-A.

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.