FYI...

- http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC - "...at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document... if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild."

> http://forums.whatthetech.com/Adobe_Reader...st&p=498315

If you were thinking of replacing your Adobe Reader with Foxit, -now- would be the time...

Adobe Reader v9... 33.5MB
- http://www.adobe.com/go/getreader
-OR-
- http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309 - 2.57 MB - 10/14/08

- http://asert.arbornetworks.com/2008/11/pdf...-how-to-decode/
November 7th, 2008 - "...We keep seeing Acrobat get hosed with JS exploits, this won't be the last time."

.

This post has been edited by AplusWebMaster: Nov 9 2008, 05:19 AM

More PDF exploits...

- http://blog.trendmicro.com/adobe-reader-vu...eing-exploited/
Nov. 11, 2008 - "Several active exploits targeting a vulnerability in Adobe Reader are now in the wild... Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads. Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs..."

FYI...

- http://blog.trendmicro.com/bogus-federal-r...er-pdf-exploit/
Nov. 13, 2008 - "A -new- round of PDF exploits are being pushed by websites pretending to be the US Federal Reserve. Several spammed email messages were intercepted starting last week advertising these fake Federal Reserve pages... This spam run is still continuing as of this writing, and it is now advertising more bogus sites... These domains resolve to a single IP address with a relatively short TTL (time to live) of 3600 seconds. What’s peculiar with the above domains is that when one is using OpenDNS and browses to the prepared site, OpenDNS will report that the site is not loading. However the DNS requests over other ISP’s nameservers loaded the bogus Fed pages... The fraudulent site redirects to a porn search page a few seconds after loading, and a PDF exploit is downloaded into the system. This particular script hosting the exploit has some anti-detection routines which attempts to prevent its contents, particularly the PDF JavaScript, from being seen by nosy researchers... The PDF JavaScript is designed with downloaders of downloaders that come from different internet locations.The final component (at the end of downloader chain) the trojan infects and automatically restarts the victim PC. After restart, the infected machine launches out regularly malformed HTTPS transactions (with an interval of 6.5 seconds) to a certain server. The transaction can be considered malformed because the SSL handshake, used by normal SSL websites, is missing in this particular HTTPS traffic. Even though, the traffic is somehow still encrypted. This type of HTTPS bot has been spotted a few months earlier.
The regularity of the HTTPS traffic suggests that this is a botnet having a Web-based C&C. This is certainly an improvement over the Web-based bots of old, where traffic are seen in plaintext. The botherders have actually made it a point to hide the network actions of their bots from IDSes (intrusion detection systems) by encrypting their network traffic. Makes one wonder what else the bad guys have in store for us..."

(Screenshots and more detail available at the URL above.)