[Caution] New Adobe Zero Day Vulnerability

1. Introduction

Recently Adobe identified New Zero Day Vulnerability(CVE-2011-2462), in accordance with this security hole, spreading malicious file cases were reported. If this malicious file combines itself with social engineering, the range of damage will be rapidly widened. With the feature of Zero Day Vulnerability, security level of the product cannot be established. Therefore, users need to be careful on using internet against these malicious files.

[Security Advisory for Adobe Reader and Acrobat]

http://www.adobe.com/support/security/advisories/apsa11-04.html

[Affected Softwares]

Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

2. Spreading path and symptoms of infection

This malicious file used CVE-2011-2462 vulnerability, is PDF type and can be spread through attachment of e-mail or certain link. Besides, if infected, system control permission can be lost to attacker with exposure of U3D memory tampering.

* U3D(Universal 3D)?

Universal 3D (U3D) is a compressed file format standard for 3D computer graphics data.

This malicious PDF file is a type of injecting malicious ShellCode, and its content is a type of survey(ManTech Employee Satisfaction Survey).

Upon executed this malicious PDF file, injected ShellCode will be executed. Furthermore, this PDF file will generate additional malicious files as following.

* Generated files

C:\Documents and Settings\(User Account)\Local Settings\pretty.exe
C:\Documents and Settings\(User Account)\Local Settings\WSE4EF1.TMP
C:\Documents and Settings\(User Account)\Local Settings\ctfmon.exe (Same file as pretty.exe)

Additional malicious files are known as communicating with external C&C server constantly, however, all related sites has been blocked.

3. How to prevent

Adobe announced security update Adobe Reader 9.x and Adobe Acrobat 9.x for Windows related with that vulnerability until Dec 12 for Windows. However, in case of Adobe Reader X and Adobe Acrobat X, those can protect themselves from the vulnerability with using safe mode and safe view.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.