Zeus botnet exploits unpatched PDF flaw
Researchers spot first widespread attack using Reader, Acrobat design flaw
Computerworld - The Zeus botnet is now using an unpatched flaw in Adobe's PDF document format to infect users with malicious code, security researchers said today.
The attacks come less than a week after other experts predicted that hackers would soon exploit the "/Launch" design flaw in PDF documents to install malware on unsuspecting users' computers.
The just-spotted Zeus variant uses a malicious PDF file that embeds the attack code in the document, said Dan Hubbard, CTO of San Diego, Calif.-based security company Websense. When users open the rogue PDF, they're asked to save a PDF file called "Royal_Mail_Delivery_Notice.pdf." That file, however, is actually a Windows executable that when it runs, hijacks the PC.
Zeus is the first major botnet to exploit a PDF's /Launch feature, which is, strictly speaking, not a security vulnerability but actually a by-design function of Adobe's specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how a multistage attack using /Launch could successfully exploit a fully-patched copy of Adobe Reader or Acrobat.
Stevens was not the first to reveal the /Launch vulnerability. In August 2009, a module using the same flaw was added to the open-source Metasploit penetration testing kit, said HD Moore, Metasploit's creator and the chief security officer at Rapid7. "Colin Ames of Attack Research wrote this module as part of his Black Hat USA presentation," said Moore. "Didier's work was independent of what we already had, but uses almost the same method at its core."
Today, Stevens said that the Zeus attack Trojan was actually using the Metasploit module. "From what I can read, the new Zeus PDF actually uses a [Metasploit] Adobe PDF exploit," Stevens said on Twitter, pointing to another description of the new attack by M86 Security of Orange, Calif.
Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, that's not enough to stop users from launching the bogus document, said Websense's Hubbard. "No one is blanket-blocking PDFs at the gateway," he said. "There's so much business value in PDFs, and they're very pervasive." In other words, people trust PDFs, he said -- much more even than some other popular document formats, such as Microsoft Word.
Websense has tracked several thousand Zeus attacks using the embedded malware and /Launch function. "The attacks are still going on," Hubbard said.
While the attack technique may be new, the behind-the-scenes malware and the gang that produces it is standard Zeus fare, Hubbard continued. Zeus is best known for planting identity theft code on victims' PC to steal, for instance, online banking logon usernames and passwords. "The motives aren't any different here," said Hubbard.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!