Targeted emails exploit new Acrobat Reader vulnerability

Target was warned of payment system vulnerabilities before data breach

Targeted computerEarlier this week Adobe warned users of their nearly ubiquitous Adobe Reader software of a new zero-day vulnerability being exploited in the wild.

They are working on making a patch available for Adobe Reader 9 no later than the week of December 12th, but will not be fixing the flaw in Reader X until January 10th, 2012.

Why the delay for Reader X? Adobe’s Brad Arkin explained in a blog post that the “Protected Mode” sandbox functionality introduced in Reader X prevents the exploit from successfully infecting Windows PCs.

I spoke with Brad Arkin back in October and he discussed some of the security initiatives ongoing at Adobe, including the fact that to date no malware has yet escaped from Adobe Reader X’s sandbox.

(4 October 2011, duration 23:07 minutes, size 15.8 MBytes)

We have started seeing a small number of targeted samples in SophosLabs of attackers trying to use this vulnerability (CVE-2011-2462/APSA11-04) in email attachments.

The emails are well crafted and look very believable. The sample I have been analyzing appears to come from Barclay’s bank in New York City.

The body reads quite simply:


Please find attached this week's Barclays Capital U.S. Financial Sponsors Newsletter.


Email containing Adobe Reader zero day exploit

The email has an attachment titled “Barclays Capital Financial Sponsors Weekly Newsletter.pdf” which is designed to exploit CVE-2011-2462. Other similar emails have been seen in the wild pretending to be from other reputable organizations.

If the attachment is opened in Adobe Reader 9 or earlier it drops three files d3d8caps.dat, AcrA2CA.tmp and dump.exe.

Dump.exe is a downloader that attempts to retrieve a further payload. We were not able to retrieve the malware that this malware is designed to retrieve yet, if we are successful I will post an update.

Strangely looking at the strings inside of the exploit PDF we see an interesting identifier. The author value in the PDF is set to:

"Author (Fo) /email ( /web (".

As Brad Arkin states in his blog, if you are a user of Adobe Reader on Windows and haven’t upgraded to Reader X yet, now would be a great time.

Sophos customers are proactively protected from this malware by Exp/20112462-A and the downloader is detected as Mal/Dotter-A.