Adobe exploit puts backdoor on computers

A new zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat, drops a backdoor onto computers using JavaScript, Trend Micro researchers warned on Friday.

Trend Micro identified the exploit as a Trojan horse dubbed "Troj_Pidief.Uo" in a blog post. It arrives as a PDF file containing JavaScript-based malware, "Js_Agent.Dt," and then drops a backdoor called "Bkdr_Protux.Bd."

The exploit affects Microsoft Windows 98, ME, NT, 2000, XP, and Server 2003, according to Trend Micro.

The blog post provides technical details on how the malware works, specifically the activity of its shell code, the piece of code that delivers the payload. The JavaScript is used to execute arbitrary codes in a technique known as "heap spraying."

"Based on our findings, the shell code (that was heap-sprayed) jumps to another shell code inside the PDF file" before extracting and executing the backdoor, Trend Micro said. The backdoor "is also embedded in the PDF file and not the usual file downloaded from the Web."

Variants of the Protux backdoor typically provide an attacker unrestricted user-level access to a compromised machine and previously exploited vulnerabilities in Microsoft Office files, according to Trend Micro.

Adobe announced on Thursday that it would release an update to fix the hole on Tuesday, the same day as Microsoft's Patch Tuesday.

This screenshot shows the embedded executable file in the PDF file, after it has been decrypted.

(Credit: Trend Micro)

[libertyforall1776]

Let's not forget about Microsoft's exploits:
http://nationalexpositor.com/News/1128.html

[bananaphonerules]

Where's my tin foil hat?...again.

[captain_numerica]

Yes, nice reputible source. Need more tin foil.

[richard993]

The thing that is more concerning is that these exploits may now be hidden in hardware or deep within the CPU or within ROM... and good luck to anyone who can reverse engineer anything once its embedded in the cpu!

[gggg sssss]

javascript in a web page I understand. Javascript in a pdf?

[danielkza]

Yes, ActionScript as Adobe calls it, is also heavily used in Flash. Since it was specially tailored to handle structured documents (HTML), it was the obvious choice for PDF's scripting language.

[shellcodes_coder]

It's not "Adobe exploit", it's an exploit for Acrobat. Seems like Vista are 7 are unaffected because of DEP

[i_made_this]

It is an Adobe exploit - specifically, an exploit in Adobe's ubiquitous program, Reader.

Adobe Reader, which all computer users use in order to read pdf documents, is part of a larger package of communications programs Adobe markets called Acrobat.

Most Home, Home Office and Small Business users do not need as large and extensive program as Adobe Acrobat, which is why they don't use it.

But we all use Adobe Reader, at least for now. On a malware-per-program basis, many folks have no question that Adobe is a far larger supplier of malware to the world market than any other software company.

[EvanSei]

and this is why I use adobe products as little as possible

[ikramerica--2008]

So true. I use Photoshop, but use alternatives for all PDFs, and turn off Flash in my browser unless it's needed for a site I trust.

[aaanandhismini]

EvanSei

Agreed. I try and keep my system Adobe free, terrible quality in the last 10 years.

[JLBer]

And this is why I use FoxIt Reader.

[TxTom21]

The headline is overly broad. It should read "Adobe exploit puts backdoor on PCs." Apparently, Macs are not affected, neither are Linux boxes. And Macs and Linux installs are, after all, computers. Or maybe the editor's intent was to make everyone read the article to verify the details. If so, it's disingenuous. Otherwise, it's poor editing.

[shellcodes_coder]

Mac versions of Acrobat are affected too but as Charlie Miller, said if the hackers can target 90+% market share ie Windows users, why would they care about 8% of mac users?

[Random_Walk]

"Mac versions of Acrobat are affected too"

Look at the image of the hex edit up there, specifically the portion that reads "This program cannot be run in DOS mode" - that's present in every Windows binary... but not in *nix binaries. ;)

[Perry_Clease]

"why would they care about 8% of mac users?"

Because we are generally wealthier as recent studies have indicated?

[Vegaman_Dan]

@Perry_Clease:

'Because we are generally wealthier as recent studies have indicated? "

Or that they know you blew all your money and more on the Mac and have no money left over to go after?

[Perry_Clease]

"Or that they know you blew all your money and more on the Mac and have no money left over to go after?"

Wrong Danny! WIndows users are easy to fool.

[CyR00k]

"why would they care about 8% of mac users?"

Because Snow Leopard is the least secure OS in existence. It is an easier target then Windows or Linux since all Mac owners have been lulled into a false sense of security (much like you, since you think no one would write malware for Macs). The hacker, possibly, feels spiteful about the unbelievable arrogance of Mac owners. Javascript will run on any platform including the iPhone and iPod Touch (both of which are also not secure devices).

[shellcodes_coder]

@Random_Walk: Read properly, I said mac versions of Acrobat are vulnerable too, didn't say those exploit codes were for OS X version of Acrobat!! from next time read properly

[DrtyDogg]

From Adobe:
"Update 2:56 p.m. PDT: Also on Thursday, Adobe Systems announced that it will release an update Tuesday that will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier on Windows, Macintosh and Unix that has reportedly been exploited in the wild in limited targeted attacks."

[ckh1272]

@shelly-How about showing us where it affects Mac users.

[ckh1272]

I save ole' shelly the trouble. Here is the official bulletin from Adobe:

http://www.adobe.com/support/security/bulletins/apsb09-15.html

[Altotus]

I guess its not paranoia just where do you fold that tin foil to get a good hat or should i just wrap around and around it until l run out?

[birdtford]

Use the whole roll. It provides better protection :-))

[Vegaman_Dan]

Origami lessons are useful in this situation. But make sure when you make your hat to have it shiny side out. Otherwise you'll cook your own brain when thinking too hard.

That's no danger for me of course, I was half baked to start with.

[Chukwudi]

has there been an update by adobe yet? (I didn't bother reading all responses...)

[csonp]

Yet another reason to use web based PDF viewers like http://www.pdfescape.com and not rely on the (apparently poor) JavaScript implementation of Adobe, but instead on that of your trusted browser.