Thursday, April 21, 2011

PDFExaminer Flash Handling

Hello,

We are now exploding compressed Flash embedded in PDFs to allow for additional signature scanning for better CVE identification in embedded Adobe Flash files. Uncompressed Flash will be shown on the new "Flash" tab when viewing a PDF object which contains Flash.




Check out PDFExaminer.

PDFExaminer new features

Added several new features to the PDFExaminer. Email reports are optionally issued after submitting a sample, you can also include the phishing email or a comment and mark a sample as private to prevent it from being listed in a future list of recent detected malware reports.

We've also added a detection rating - malware, suspicious or clean to distinguish between PDFs with some obfuscated JavaScript and those with a detected CVE exploit.

Check out the PDFExaminer.

Sunday, April 17, 2011

CVE-2011-0611 Zero Day

Another update on CVE-2011-0611, we're seeing reports of it's use in PDF (similar to the use of CVE-2011-0609 recently), Adobe will be releasing a patch by the week of April 25th. Adobe Reader contains an internal version of Flash Player, so updating to the recent Flash player will not protect you from PDF's with embedded CVE-2011-0611 exploits.

You can scan any suspicious PDF for free with our PDF Examiner tool: https://www.malwaretracker.com/pdf.php

Wednesday, April 13, 2011

CVE-2011-0609 attacks via PDF file

We've just across a new use of CVE-2011-0609, formerly only seen in XLS files, now used in a PDF file sent in a targeted email attack.

Filename: 民進黨2012+年....pdf (translates as DPP 2012 and beyond - DPP is Taiwan's Democratic Progressive Party)
MD5: 3d1fc4deb5705c750df6930550c2fc16
sha1: 3f6b96a62ae780b8c9d4094e478388036f336188
sha256: d742293773b4c6725bed769651a36baec6cd0b06c96662c688fce0f09f5d82c4
ssdeep: 12288:5aZEUjnnntnfnPnnnnnye2MUI2caPV6BWExnfAcc2spmUL0VnJtoQhUImzaIE0sT:GfURULy6NrFASbdX


PDF Object 2 contains a SWF file MD5 40792ec6d7b7f66e71a3fdf2e58cb432 subtlety named "~CVE-2011-0609.swf". Decompressing the CWS to FWS gives the MD5 00cf8b68cce68a6254b6206f250540fd.

Object 19 contains JavaScript to load shellcode into memory.

View the sample in PDF Examiner. Updating to the latest Flash 10.2.152.33 and Reader 9.4.2 mitigates this threat. We'll make the sample available to AV companies if requested.

For information on other current threats, see our PDF Threats and Document Threats pages.

Monday, April 11, 2011

Flash in Word zero-day

Adobe has announced a new Flash zero day CVE-2011-0611. Flash with an exploit and jit spray potentially. The PoC file also dropped an executable (XORed with 0x85).

MD5: 96cf54e6d7e228a2c6418aba93d6bd49
SHA1 :820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d

Virustotal: http://www.virustotal.com/file-scan/report.html?id=1e677420d7a8160c92b2f44f1ef5eea1cf9b0b1a25353db7d3142b268893507f-1302359653

See bulletin APSA11-02.

See our list of current document format malware threats.