Symantec confirms Adobe Reader exploits targeted defence companies

Pro

8 December 2011

Security researchers at Symantec have confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defence contractors, among other businesses.

"We’ve seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defence sector," said Joshua Talbot, senior security manager in Symantec’s security response group, in an interview.

Symantec mined its global network of honeypots and security detectors, and located e-mail messages with attached malicious PDF documents, to come to that conclusion. The inclusion of defence contractors was not unexpected.

When Adobe warned Reader and Acrobat users that hackers were exploiting a "zero-day" bug on Windows PCs, it credited Lockheed Martin’s security response team and the Defence Security Information Exchange (DSIE), a group of major defence contractors that share information about computer attacks, with reporting the vulnerability.

The DSIE is composed of companies that are also part of what the federal government calls the "Defence Industrial Base," or DIB. Among the DIB’s members are some of the country’s largest defence contractors, including Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt & Whitney and Raytheon.

Symantec found attack e-mails dated 1 November and 5 November, 2011.

It also published an image of a redacted e-mail of the attack’s bait, the promise of a 2012 guide to policies on new contract awards, that it said was a sample of the pitches that tried to dupe recipients into opening the attached PDF document.

The message’s subject heading read, "FY12 XXXXX Contract Guide," and the body simply stated, "FY12 XXXXX contract guide is now available for all contractors of XXXXX. The new guide contains update information of XXXXX policy on contract award process.

Opening the attached attack PDF also executed the malicious code, likely malformed 3-D graphics data, hidden in the PDF, compromising the targeted PC and letting the attacker infect the machine with malware.

That malware, Talbot said, was identical to what was used in early 2010 by hackers exploiting a then unpatched bug in Microsoft’s Internet Explorer 6 (IE6) and IE7. Symantec labelled the malware "Sykipot" last year.

"It’s not overly sophisticated," said Talbot. "It’s a general-purpose backdoor. One of the interesting things about it is that it does use a form of encryption of the stolen information, which helps the attack hide what information is stolen."

Sykipot encrypts the pilfered data after it has been retrieved from the victimised firm but while it is still stored on the company’s network, as well as when it is transmitted to a hacker-controlled server.

Those command-and-control (C&C) servers are still operating, Talbot said.

Because of the similarities, using Sykipot, which isn’t widely in play, and exploiting zero-day vulnerabilities, Symantec suspects that the same group of hackers who launched the attacks against IE6 and IE7 last year were also responsible for the Reader-based attacks seen last month.

Microsoft patched the IE6 and IE7 vulnerability on 30 March, 2010, in an emergency, or "out-of-band," update.

Although Symantec found evidence of only the early November attacks, Talbot said he would not be surprised if the criminals fired off another information stealing campaign between now and when Adobe promised to patch the bug in Reader and Acrobat 9.x on Windows, the versions that have been exploited in the wild.

Talbot declined to specify the geographic location of the Sykipot C&C servers, or speculate on the origin of the Reader exploits.

Adobe will patch the Windows versions of Reader and Acrobat 9.x by the end of this week, and has promised to deliver fixes to Reader and Acrobat 9.x to Mac and Unix users, and to Reader and Acrobat 10.x for all platforms, next month.

Symantec has shipped detection signatures for the rogue PDFs to its customers, said Talbot.

 

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie