New Adobe PDF Zero-day Unleashes Trojan.Swaylib

In a previous blog, Symantec reported on a new Adobe zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.1) and earlier versions, that was being actively exploited in the wild. Adobe has yet to release a patch for this zero-day, but in an advisory they have provided a means of mitigation against the attack. 

The initial report on this zero-day being actively used in the wild came from FireEye. They reported that several files were being dropped and downloaded as a result of a successful exploit. Our research can confirm these findings.

Figure 1. Attack using CVE-2013-0640

The steps in the attack, shown in Figure 1, are as follows:

  1. A malicious PDF file drops a DLL file called D.T
  2. D.T decrypts and drops a DLL file called L2P.T
  3. L2P.T creates run keys and then drops and opens a clean PDF file. It also drops downloader component LangBar32.dll
  4. LangBar32.dll contacts a malicious server and downloads additional malware with back door and key logging capabilities

Symantec has antivirus detections in place for the stages of this attack as Trojan.Pidief and Trojan.Swaylib (initially detected as Trojan Horse). The intrusion prevention signature (IPS) Web Attack: Malicious PDF File Download 5 has also been released to detect usage of this specific Adobe exploit in further attacks.

Additional research has shown that the PDF used in this attack would have been caught by our Symantec Mail Security for Microsoft Exchange product and the dropped files used in this attack would have been detected as WS.Malware.2 by Symantec’s cloud based detection technology.

Symantec is currently investigating further protections for this zero-day and will provide an update to this blog when possible. To protect against potential zero-day threats, Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protection is in place.

iOS 6.1 brings back bug that gives anyone access to your contacts, photos (Update)

An old vulnerability in the iPhone's lock screen and Emergency Call feature appears to have resurfaced for a third time in iOS 6.1. With the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected.

A similar bug first appeared in iOS 2.0. That version of iOS added optional user-selectable actions for double-clicking the Home button, with the default to access a user's contact favorites. By clicking the Emergency Call button on an iPhone's lock screen and then double-clicking the Home button, the Phone app would show the list of your favorite contacts. From there, it was possible to access call logs, voicemails, and any contact; send SMS messages; send or read e-mails; and even launch Safari.

Apple fixed the flaw in iOS 2.1, but it popped up again in iOS 4.1. The sequence of actions was a little more complex, however. It required dialing a random number for an emergency call and then hitting the hardware lock button. Doing so would allow the standard Phone app UI to appear once again, giving a potential hacker access to call logs, voicemails, and contacts.

Read 4 remaining paragraphs | Comments

Bogus zombie apocalypse warnings undermine US emergency alert system

Don't worry: today remains V-Day and not Z-Day. On Monday, hackers were responsible for broadcasting bogus emergency messages warning TV viewers of an imminent zombie invasion. It's a series of intrusions that underscore the vulnerability of the nation's public warning system.

"Civil authorities in your area have reported that the bodies of the dead are rising from the grave and attacking the living," stated one warning broadcast over KRTV in Great Falls, Montana, according to Reuters. It went on to warn viewers not "to approach or apprehend these bodies as they are extremely dangerous."

Investigators have yet to determine the cause of the hacks, which were also perpetrated on Emergency Alert System devices used by stations in Michigan, California, Tennessee, and New Mexico. But Mike Davis, a hardware security expert and principal research scientist at security firm IOActive, told reporters he recently found a variety of weaknesses in some of the machines used to receive emergency messages and then automatically interrupt regular programming to broadcast them over the air. Weaknesses included devices that still used default passwords that are listed in user manuals hosted online and authentication bypass vulnerabilities that allow hackers to log in even when they don't have a password.

Read 3 remaining paragraphs | Comments

Research In Motion Releases Security Update for BlackBerry Enterprise Server

Original release date: February 14, 2013 | Last revised: February 25, 2013

Research In Motion (RIM) has released a security advisory for BlackBerry Enterprise Server to address multiple vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or allow elevation of privileges.

RIM has released updates for the following versions:

  • BlackBerry Enterprise Server Express versions 5.02 through 5.04 for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.02 through 5.04 for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.1 and 5.0.4 for Novell Groupwise

US-CERT encourages users and administrators to review RIM security advisory BSRT-2013-003 and apply any necessary updates to help mitigate the risk.

This product is provided subject to this Notification and this Privacy & Use policy.