Friday, January 15, 2010

[News] Yet Another PDF & IE Attack

Yet Another PDF & IE Attack

If you do not know the recent Google attacks from Chinese people, you might want to visit F-Secure blog, http://www.f-secure.com/weblog/archives/00001854.html. As an abstract from F-Secure blog This is known to be another targeted attack from the cybercriminals to gain intellectual propery that is sensitive information in common from the China activist.

This attack is belived to be driven from the exploit of 0-day vulnerability for various well-known application like Adobe Acrobat/Reader and Internet Explorer 6, 7 and 8 and etc. The exploit will drop a DLL component which will be installed as a service and open the backdoor for the remote computer to fully compromise the infected machines. The description for this backdoor can be found from F-Secure description page or Symantec's Trojan.Hydraq.

SANS also provides an analysis for the PDF exploit which they call it "PDF Babushka". As a result of this attack, Google has announced to quit censoring google.cn, more information can be found from Official Google Blog: A new approach to China

Update (17/01/2010)

Wepawet was fist released the exploit code that is one of the attack vectors for the Google targeted attack. The exploit only affect IE 6 which has no DEP (Data Execution Prevention) enabled unlike IE 7 on Windows XP SP3 and IE 8.

Needless to say, the IE 6 contains lots of pontential 0 day vulnerabilites which has yet to be discovered. For Google targeted attacks, there should probably has other 0 day vulnerabilites for IE 7 and IE 8 which have not yet been revealed yet.
  

Reference

[1] http://isc.sans.org/diary.html?n&storyid=8002 -- Exploit code available for CVE-2010-0249
[2] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Exploit CVE-2010-0249 Source Code
[3] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- Metasploit "Aurora" Module


~Signing off
@x9090





2 comments:

Virologizt said...

Nice blog bro :-D

Anyway, just wanna give you some advices. Keep on being "freelancer" and trust nobody. Even the most harmless chick can be deceiving. Don't get yourself poisoned, it can kill you very fast. Never stop working for the community, they reward you better than the capitalists who only find you useful when they need you. Take care my friend.


As for me, I am always here fighting to keep the knowledge free...

Best Regards,

Virologizt

x9090 said...

Thanks for your advice and comment dude :)

I strongly agree with you, knowledge should be shared to keep ourselves improving.

All the best to you :D

Best Regards,

x9090