Exploiting vulnerabilities with PDF files
Exploit weaknesses in certain applications for mass use, is now one of the attack vectors for malware more employees, and in this sense I have posted the exploitation of vulnerabilities through several SWF and JS.
In this case, the attacker's goal is to find computers with Adobe Acrobat and Adobe Reader vulnerable to a buffer overflow attack as described in CVE-2008-2992.
The thing is, a concrete example is the address http://prororo7.net/sp/index.php. By accessing this malicious URL is not displayed anything but in the background, the exploit code will exploit the above error if found.
In this case, the attacker's goal is to find computers with Adobe Acrobat and Adobe Reader vulnerable to a buffer overflow attack as described in CVE-2008-2992.
The thing is, a concrete example is the address http://prororo7.net/sp/index.php. By accessing this malicious URL is not displayed anything but in the background, the exploit code will exploit the above error if found.
In this example, download and execute arbitrary remotely and via a malware file f.pdf (MD5: 2de9de23f9db1e7b1e39d0481a372399) using the function util.printf Java Script.
The malicious code appears under the name load.exe (MD5: a6e317f29966fa9e2025f29c7d414c0a) and is discharged from http://prororo7.net/sp/l.php?B=4&s=p.
Unfortunately, the PDF file is constantly manipulated by those who spread it to avoid detection by antivirus programs, and why I say "unfortunately", because the detection rate of malicious PDF that has so far is extremely low. That which we can observe in the report that returns VirusTotal, only five (5) AV companies a total of 39 preventing its infection.
A similar situation exists with the file doc.pdf (MD5: 5fa343ebca2dd5a35b38644b81fe0485) called from http://toureg-cwo.ch/fta/index.php, and downloading the file 1.exe (MD5: 5c581054fbce67688d2666ac18c7f540) whose detection rate is even lower than the previous (4 / 39).
There are many web addresses being used actively to spread malware:
There are many web addresses being used actively to spread malware:
tozxiqud .cn / nuc / spl / pdf. pdf
teirkmm .net / nuc / spl / pdf. pdf
hayboxiw .cn / nuc / spl / pdf. pdf
www.ffseik .com / nuc / spl / pdf. pdf
www.kuplon .biz / SMUN / pdf. php? id = 2435 & vis = 1
www.geodll .biz / ar / spl / pdf.pdf
setcontrol .biz / ar / spl / pdf. pdf
newprogress .tv / for / spl / pdf. pdf
eddii .ru/traffic/sploit1/getfile. php? f = pdf
google-analytics.pbtgr .ru / pdf. php? id = 48,462
hardmoviesporno .com/rf/exp/update1. pdf
You see, the odds of being victims of such strategies of infection is high, it's therefore important to patch as soon as possible, those who use, Adobe applications.
Related information
Exploiting vulnerabilities through SWF
Exploitation of vulnerabilities through JS
Jorge Mieres
Related information
Exploiting vulnerabilities through SWF
Exploitation of vulnerabilities through JS
Jorge Mieres
0 comentarios:
Post a Comment