A new proof-of-concept exploit that takes advantage of a vulnerability in the way URIs (uniform resource identifier) - a compact string of characters that identify a resource- are handled in PDF files was released with a full disclosure [http://security.fedora-hosting.com/0day/pdf/pdf_poc.pdf].

Opening this PDF file also opens a New Message window

URI of the PDF file shown above

The vulnerability is caused when Adobe Acrobat passes the parameter received by the URI command to a ShellExecuteA API.

It affects the following Adobe products:

• Adobe Reader 8.1 and earlier versions
• Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
• Adobe Acrobat 3D

As of this writing, there is still no patch available for the said vulnerability. However, exploits like this can be prevented from executing by modifying the following registry entry:

For Acrobat:

HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAdobe Acrobat8.0 FeatureLockDowncDefaultLaunchURLPermstSchemePerms = version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2

For Reader:

HKEY_LOCAL_MACHINESOFTWAREPoliciesAdobeAcrobat Reader8.0FeatureLockDowncDefaultLaunchURLPermstSchemePerms = version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2

This vulnerability can be used by malicious programs to enter a target system through the automatic opening of URL and/or downloading malicious files over the internet.

More information is posted on Adobe security advisories Web site. [http://www.adobe.com/support/security/advisories/apsa07-04.html]

Additional information taken from http://www.heise-security.co.uk/news/96982.

It is said that change is the one constant in life, and it is proving true in the case of the Storm malware. Usually, change is good, but where the said malware is involved, change may mean another thing.

The infamous Storm worm has gotten an update, with the giant botnet that it employs now broken into segments, or smaller networks. The latest Storm variants now use a 40-byte key to encrypt traffic over the peer-to-peer (P2P) protocol Overnet, as first reported by our counterparts in SecureWorks. Overnet aids singular bots to connect to other infected systems. Using encryption means that communication is only possible between botnet nodes that are using the same key.

This may be an indication that the Storm worm creators are set to go to market with Storm variants, which they could sell in malware forums to other malicious users (spammers or DoS attackers). This could translate to automated spam kits, which could in turn lead to a skyrocketing of Storm infections.

Another reason could be for the Storm authors to more easily manage their networks. The upside could be that system administrators themselves may now be able to better protect their networks against the deluge of the Storm malware, whereas before the Storm botnet was believed difficult to eliminate because of its use of P2P technology (instead of a single C&C server).

The Storm worm began its downpour in January this year, earning its name for its social engineering technique of squatting on the real-world Kyrill storm that was then ravaging Northern Europe. It first sent out spammed email messages that promised more information about the said storm. Users ended up downloading a Trojan that rendered their machines zombies, part of the Storm botnet that is now estimated at 1-50 million PCs.

Since then, the botnet has been constantly evolving, employing one new technique after another. More notably, it came as eCard spam that rode on big occasions like Fourth of July, Labor Day, and the NFL season; contained links that supposedly led to a YouTube video file; offered downloads of the otherwise legitimate application Tor Proxy or a BETA testing program; and posed as “welcome” messages for memberships to various online services. Most recently, it was seen as a worm that came via fake eCards meant for unsuspecting users with a fondness for felines.

There is still no end in sight to the twists and turns in the history of the Storm worm. But if this new development works in the Storm authors’ favor, this malware family is poised to devolve into a cyclone, with said creators bringing more damage to property and earning in the process. For now, the coast is yet unclear.

While testing IP addresses that had previously been known to serve Storm samples, we came across a nice surprise. Although the Storm network has not yet started to send a new wave of emails, it looks like they are in the process of setting up the sites to handle them, so expect a new wave shortly.

As can be seen in the screenshot below, the site will be using the name Krackin v1.2, so it looks that the Laughing Pyscho Kitty Cat has been put to rest (poor thing).

This time around the executable name is krakin.exe, but apart from the name change, all of the usual storm attributes are there. Upon execution, the victim will join the now infamous Storm P2P Network where their machine may be used for any number of criminal purposes. Not quite “The New Global Sharing Network” that the victim had been hoping for…

Needless to say, Trend Micro proactively detects this file as WORM_NUCRYPT.GEN.