At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.

According to advanced threats researcher Jonell Baltazar, these .PDF files exploit known vulnerabilities found in Adobe Reader (Collab.collectEmailInfo, Collab.getIcon, and util.printf) to download a file if the user’s application remains unpatched. Furthermore, Baltazar explains, the malicious .PDF files use getPageNumWords() and getPageNthWords() Adobe JavaScript application programming interfaces (APIs). The files also used the app.info.Author field of the .PDF document to store the encoded payload URL, which enables them to defeat automated PDF and JavaScript analysis tools.

As discussed in the 2010 Threat Predictions by Trend Micro CTO Raimund Genes, drive-by infections are the norm and one Web visit is enough to get infected. Users are thus advised to disable JavaScript on their Web browsers and to practice vigilance, verify URLs, and update browsers to avoid being redirected to malicious URLs.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Update as of March 17, 2010, 4:23 P.M. (GMT +8):

Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that it requires the usage of certain APIs to be decrypted. Thus, it would require manual analysis to be able to emulate the embedded script.

Update as of March 18, 2010,7:54 P.M. (GMT +8):

According to further research by Baltazar, the attack used the “Liberty Exploit Kit”, which exploits known vulnerabilities found in IE (like MS06-014 (MDAC) and MS DirectShow). The exploit kit also includes exploits targeting Flash 9 (this is the most probable vector for malicious ads) and the mentioned PDF exploits.

Thus, no user-click is needed for the attack to be successful. Users must keep their Flash, Adobe Reader, and IE browser updated with latest available security patches in order to be protected from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious Ads Lead to PDF Exploits

On February 16, Adobe released a security advisory describing a vulnerability in Adobe Reader and Acrobat 8.X and 9.X. Once the vulnerability is exploited, attackers gain the capability to perform denial-of-service (DoS) attacks on affected systems. Doing so can cause applications and even systems to crash. Attackers can also execute arbitrary code on affected systems.

Trend Micro detects the exploit binary as TROJ_PIDIEF.EXP, a specially crafted .PDF file. It belongs to a family of known exploits that target Adobe Acrobat and Reader vulnerabilities. This family is also capable of dropping other malicious files such as spyware and backdoors onto affected systems.

Users are advised to update to the latest versions of the aforementioned Adobe products to secure their systems from attacks related to this vulnerability.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and executing the malicious file via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

More Adobe Exploits in the Wild

This vulnerability primarily affects IE 6 and 7. Internet Explorer 8 is not affected. Users using the affected browsers are advised to follow the workarounds in Microsoft’s advisory until the applicable patches are released. Systems using the latest Windows versions—Windows 7 and Server 2008 — are automatically immune from this threat since the said OS versions are shipped with IE 8. Those using earlier versions, however, would benefit from upgrading their browsers to IE 8.

In relation to this vulnerability, Trend Micro currently detects a malicious JavaScript file as JS_SHELLCODE.CD, which exploits CVE-2010-0806 and allows unauthorized download of files onto affected machines.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious website the JavaScript connects to via the Web reputation service. It also detects and prevents the download of JS_SHELLCODE.CD via the file reputation service.

Trend Micro Deep Security™ and Trend Micro OfficeScan™ likewise protect business users via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.

Post from: TrendLabs | Malware Blog - by Trend Micro

New IE Zero-Day Exploit (CVE-2010-0806)

As part of its regular Patch Tuesday schedule, Microsoft released two security fixes to address vulnerabilities found in certain versions of Windows Movie Maker and Office Excel. This is the first time in almost two years that Microsoft did not include any critical patch in its release.

Both vulnerabilities allow remote code execution when a user opens a specially crafted Movie Maker or Microsoft Producer project file and a specially crafted Excel file. More information on the security advisories can be found in this Trend Micro Security Advisory page.

While this may be good news, this was somewhat balanced out by the discovery of a new zero-day exploit found in Internet Explorer (IE). This exploit is the second found in the last 60 days. The previous one was discovered in January. This exploit takes advantage of an invalid pointer reference vulnerability to execute arbitrary code. Only IE 6 and 7 are vulnerable. Users of IE 8 are safe from this threat.

The exploit code is now available publicly and some related attacks are being tracked.

But Microsoft is not alone in being hit by vulnerabilities this week.

Alternate browser, Opera, was also found to have a flaw in the way it handles the Content-Length HTTP header. At the very least, this can cause the browser to crash.

Server applications also came under fire. The popular spam blocker, SpamAssassin, was also found to have a security flaw. This flaw can allow code contained in a specially crafted email that was processed by the application to be executed with administrative privileges on an email server. However, as the specially crafted email would have an invalid recipient, it is unclear if properly configured servers are also vulnerable.

Patching vulnerable applications sounds like a solution but that may not be ideal, particularly for enterprise users. Restarting servers is often not as simple for them as it is for home users. In addition, some individuals who discover vulnerabilities believe, wrongly or not, that software vendors take a long time to issue patches as well as downplay the severity of any known flaw. Because of this, some prefer to reveal the flaws publicly to force vendors to release patches as soon as possible.

Trend Micro advises users to keep their security programs up to date and to immediately apply patches once they are released by their vendors. Users can download this month’s Microsoft patches from the official Microsoft Security Bulletin page or run Windows Update to automatically download and apply the patches.

For business users, Trend Micro Deep Security™ and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in can be shielded from vulnerabilities, often even before vendor patches are available.

Post from: TrendLabs | Malware Blog - by Trend Micro

Multiple Vendors Affected by New Vulnerabilities

This worm tries to gain access to a target router by guessing the router’s configuration password using brute force. It may also spread via shared networks by exploiting a known Microsoft vulnerability, MS03-039 Buffer Overrun in RPCSS Service. The worm’s routines make users who are connected to the same network or router at risk of being infected.

This worm also has backdoor capabilities that allows attackers to execute remote command on affected systems, which include downloading and executing other malware and launching denial-of-service (DOS) attacks against other systems. Ultimately, its main goal is still to gain profit from unknowing users by stealing personally identifiable information (PII) and credentials to access certain websites, particularly online banking sites.

Its infection routine via router may be unusual for most bots of its kind, which usually infects computers. But it is not the first time that bots have used modems and routers as a propagation platform. Trend Micro has, in fact, reported such attacks in the past in relation to other threat families such as ZLOB, RBOT, and QHOST.

For more information on how old-school network bots work, you may read Trend Micro’s white paper, “SDBOT IRC Botnet Continues to Make Waves.”

Users are highly advised to keep their systems updated with the latest patches and to use strong router and modem passwords to avoid infection. Computers that may have already been compromised should be immediately isolated from networks and cleaned of the bot.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.

Post from: TrendLabs | Malware Blog - by Trend Micro

Botnet Rises in the Name of Chuck Norris

It is interesting to note that its final payload is the download of a malicious binary file that happens to be a ZBOT/ZeuS variant detected as TROJ_ZBOT.BYZ. This acts as a combination of the two most
prevalent threats today— ZBOT and PDF exploits. From phishing emails to social-networking sites, the widespread ZeuS Trojan has now been making its rounds across various attack vectors to get into users’ systems.

ZeuS has been around since 2007 and even if most antivirus companies have caught on with its stealth and polymorphic routines, this malware still shows no signs of slowing down.

Learn more about ZBOT/ZeuS by reading more about the various tactics it uses in the following blog entries:

• Keeping an Eye on EYEBOT and a Possible Bot War
• New ZBOT/Zeus Binary Comes with a Hidden Message
• ZBOT Variant Spoofs the NIC to Spam Other Government Agencies
• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again

Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZeuS and PDF Exploits: Two Baddies Team Up

The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.

Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that they have resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onwards are safe; everyone else is advised to removed the Adobe Download Manager entry in the Add/Remove Programs applet in the Windows Control Panel.

This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January of this year, a remote code execution vulnerability in the application was among those Adobe patched.

This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.

Security Has a Price—Problems with Security Updates

Trend Micro researcher, Rajiv Motwani, notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.

Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.

The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat applications while only 19 percent had updated Flash versions.

These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.

As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raises the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.

Solutions and Best Practices

Consumers and small businesses will benefit most by applying any Adobe patch as soon as it is released. Both Flash and Acrobat products now include standard auto-update features that can be scheduled to check for updates on a regular basis.

OfficeScan enterprise users with the Intrusion Detection Firewall (IDF) plug-in helps protect against threats of this nature, thus providing protection until system administrators deem it acceptable to roll out relevant patches.

Post from: TrendLabs | Malware Blog - by Trend Micro

New Adobe Download Manager Bug

According to Adobe’s latest security bulletin, the said critical vulnerability could affect Adobe Reader 9.3 for Macintosh, Windows, and Unix; Adobe Acrobat 9.3 for Macintosh and Windows; and Adobe Reader and Acrobat 8.2 for Macintosh and Windows based on reports from Microsoft and Michael Yong Park. If cybercriminals exploited the said vulnerability, they could make unauthorized cross-domain requests or worse take control of affected systems, similar to the effects of a flaw in Adobe Flash and Adobe AIR Park also spotted days earlier.

According to ZDNet, Adobe insisted that there were no active expoits in the wild targeting the said vulnerability. TrendLabs engineers, on the other hand, have documented a number of noteworthy incidents wherein cybercriminals utilized Adobe Acrobat and Reader vulnerabilities, specifically in the way these software handled JavaScript:

• New Adobe Zero-Day Vulnerability Again
• Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild
• Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

Users of affected versions of Adobe Reader and Acrobat are strongly advised to download the updates in this security bulletin.

Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by blocking user access to malicious sites and domains via the Web reputation service, by preventing spammed messages containing links to malicious sites from even reaching their inboxes via the email reputation service, and by detecting and consequently deleting malicious exploits from their systems via the file reputation service.

Smart Protection Network™ also protects Trend Micro product users via Trend Micro Smart Surfing for Mac and Trend Micro Security for Mac.

Post from: TrendLabs | Malware Blog - by Trend Micro

Adobe Releases Out-of-Band Patch for Adobe Reader and Acrobat

The long list includes five bulletins rated “critical,” which specifically patch nine vulnerabilities that could lead to remote code execution. Unless patched, an attacker could exploit any of the said vulnerabilities to gain control of the user’s system. Most notable on the list is MS10-013, which could give an attacker complete control of an affected system. Considering the damage that exploiting this vulnerability could cause, it is very important that users patch their systems as soon as possible.

The February release also includes seven bulletins rated “important” and one rated “moderate.” It is also important to note the addition of MS10-015 to the list, which addresses the so-called 17-year-old hole described in Security Advisory 979682. However, Microsoft reiterates that while it is aware of publicly available proof-of-concept (POC) code for the issue, it has yet to see any active exploits. More information on the complete list of security advisories can be found in this Trend Micro Security Advisory page.

Coinciding with this month’s release is yet another FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.BLJ, this FAKEAV incidentally purports to be a Windows Automatic Update that supposedly installs a Windows XP update. It then proceeds to use the same old scareware tactics that warn users of bogus system infections. Users are thus advised to download security updates only from the official Microsoft Security Bulletin page.

Trend Micro™ Smart Protection Network™ protects users from this threat by detecting and preventing the download of harmful codecs and malicious files such as TROJ_FAKEAV.BLJ.

Even non-Trend Micro product users can stay protected via HouseCall, Trend Micro’s free on-demand scanner that identifies and removes viruses, Trojans, worms, unwanted browser plug-ins, and other malware from infected systems.

Update (February 1, 2010, 9:06 p.m. [GMT +8:00]):

Microsoft has released an official statement concerning restart issues that some users are currently experiencing after installing this month’s patch updates. Specifically, intial analysis suggets that a limited number of users encounter a blue screen after installing MS10-015. As the Microsoft team continues to conduct tests, they have temporarily stopped offering the update through Windows Update. However, a workaround has been made available with a Microsoft Fix.

Post from: TrendLabs | Malware Blog - by Trend Micro

February Patch Tuesday—13 Security Bulletins for 26 Vulnerabilities Plus a FAKEAV

We want to let our readers know that Trend Micro can help users proactively block this malicious attack and others like it—with or without the out-of-band patch released by Microsoft yesterday. In addition to business solutions like Intrusion Defense Firewall (IDF)—an OfficeScan™ plug-in—and Trend Micro Deep Security, we also offer a free tool—Trend Micro Browser Guard—that proactively protects home users by preventing exploits. Trend Micro Browser Guard protects by detecting buffer overflow and heap spray attempts as well as shellcode, thereby protecting users ahead of the threat.

To download Trend Micro Browser Guard, please click here.

In addition to these proactive solutions, Trend Micro also recommends that companies and home users ensure that their security software is up-to-date—preferably that users utilize Web reputation capabilities to block access to sites that host malicious code like those used in the Google attack.

In the recent attacks, targeted spammed messages loaded with malware were also sent to users. Users with vulnerable IE browsers may unwittingly access malicious sites containing hidden JavaScript malware that takes advantage of a zero-day vulnerability. Microsoft initially advised users to enable the use of “Data Execution Prevention (DEP)” but cybercriminals attempted to counter this by introducing a new exploit code that bypasses this. Microsoft was thus forced to release a patch outside of its regular Patch Tuesday cycle.

While the initial attacks targeted specific companies, the threat has since evolved and is now fully in the wild, leaving all Internet users potentially at risk.

Post from: TrendLabs | Malware Blog - by Trend Micro

Trend Micro Proactively Helps Protect Against Zero-Day Attacks Like the Recent IE Exploit

Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent attacks targeting major organizations like Google and Adobe. However, instead of merely targeting such organizations, they are now fully in the wild and hitting ordinary users.

In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released.

Trend Micro™ Smart Protection Network™ protects users from this type of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

Update (January 21, 2010 11:00 AM):

The official Microsoft security bulletin and patch has been released. Users are strongly advised to apply this patch—either manually or automatically—to protect themselves against this threat.

Update (January 21, 2010 9:58 PM):

HTML_COMLE.CXC and another new exploit code downloading other component files before downloading HYDRAQ variants are now detected as JS_ELECOM.SMA. JS_ELECOM.SMA calls JS_ELECOM.SMB, its component file, which contains obfuscated data variables necessary for JS_ELECOM.SMA’s proper execution.

Post from: TrendLabs | Malware Blog - by Trend Micro

New IE Zero-Day Exploit Attacks Continue

Cybercriminals targeted contractors of the U.S. Department of Defense with spammed messages with a .PDF file attachment (detected by Trend Micro as TROJ_PIDIEFX.F) posing as a memorandum regarding a conference that will be held in Las Vegas sometime this March. Though the featured conference is real, the memo is not.

Upon execution, TROJ_PIDIEFX.F drops and executes another malicious file detected as TROJ_DLOADR.AUE. This attempts to connect to the remote site http://{BLOCKED}6.202.49 though as of this writing, the URL remains inaccessible.

Users are, however, also advised to apply the latest patch, which Adobe released last Tuesday. For more information on the said vulnerability, visit this Threat Encyclopedia page.

Trend Micro™ Smart Protection Network™ protects users by blocking the spammed messages and detecting and deleting the related malware. OfficeScan users with Intrusion Defense Firewall (IDF) plug-ins are also protected from this attack if their systems are updated with the IDF1003879 filter.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

Although these attacks were orchestrated to target certain groups or organizations, any computer can actually fall prey to them. Trend Micro strongly suggests that users keep their systems updated with the latest patches and to apply the necessary workaround fixes for the said Internet Explorer (IE) vulnerability, which can be found in this Microsoft Security Advisory page.

The string of attacks, which uses several vectors, appears to primarily arrive via malicious websites. Users with unprotected systems may unknowingly download a JavaScript malware detected by Trend Micro as JS_DLOADER.FIS. This specially crafted malware exploits a specific vulnerability in IE, rendering it incapable of properly handling objects in memory. This then allows remote code execution except in IE 5.01 by allowing access to an invalid pointer reference within the browser even after an object has already been deleted. To address this issue, Microsoft advises its clients to set their IE 7 browsers in “Protected Mode” if these run on Windows Vista and to enable “Data Execution Prevention (DEP).”

However, in cases wherein the attack is not preempted, the JavaScript connects to a URL and downloads an encrypted malware detected as TROJ_HYDRAQ.SMA, also known as “Aurora.” Once decrypted and executed on the system, this Trojan executes backdoor routines. It is capable of executing other files, terminating services and processes, and more importantly, stealing information from the affected systems. The pertinent data collected are then sent to a remote user for possible use in other malicious activities.

Although there have been some reports that the IE exploit was also found to take advantage of vulnerabilities in Adobe Reader and Acrobat, Adobe states that there has been no evidence that its products were being used as vectors for the said attack. It was, however, one of the organizations that suffered from an attack similar to Google. These Adobe vulnerabilities were found to be exploited by TROJ_PIDIEF.SHK, which, in turn, downloads TROJ_DLOAD.COB onto the affected systems.

Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

Additional text by Oscar Abendan, Carolyn Guevarra, and Elizabeth Bookman

Post from: TrendLabs | Malware Blog - by Trend Micro

Cyber Attacks on Google and Others—Who Is Really at Risk?

Following the usual cycle of monthly patch releases, Microsoft just issued its first for this year yesterday. Microsoft has released one advisory to address the vulnerability found in the way the Embedded OpenType (EOT) Font Engine can render a specially crafted EOT font file in several Microsoft applications such as Internet Explorer, PowerPoint, and Word.

An EOT font is a type of OpenType font with the .eot extension. Microsoft created EOT fonts to have them embedded in Web pages to discourage copying (and eventually, using) copyrighted fonts online, which is almost always a possibility.

According to the official Microsoft bulletin, once the EOT engine renders a malformed EOT file, attackers could use the vulnerability to take complete control of the system. This means that they would be able to perform tasks on an affected machine such as installing new programs, deleting important files, or creating new accounts, all without the user’s knowledge. Microsoft has given MS10-001 an Exploitability Index rating of 2, which means that it can be replicated but the outcome of its use would always vary, thus, inconsistent. Note, however, that this rating only applies to systems running Windows 2000. Later versions are unlikely to be exploited.

In the same vein, Adobe also released a security update detailing new patches for Adobe Reader and Acrobat. The patches address vulnerabilities we found and wrote about last month and last week.

Below is a list of other updates regarding vulnerabilities and patches:

• A proof-of-concept (POC) exploit for Mac OS X has just been released. For details, refer here. Note that in this Registry article, Apple has been informed about the said exploit last June 2009 but decided to sit on the matter.
• Microsoft, too, did its share of sitting on vulnerability concerns rather than addressing them. As of this writing, a security patch for a vulnerability found in SMB that could be used for a denial-of-service (DoS) attacks has yet to be released.

Post from: TrendLabs | Malware Blog - by Trend Micro

One Patch for January’s Patch Tuesday

When executed, BKDR_POISON.UC opens an instance of Internet Explorer and connects to a remote site, cecon.{BLOCKED}-show.org. Once connected, a malicious user may execute any command on the affected system.

Adobe has announced that it will provide a patch for this vulnerability on January 12, 2010 but until then, users are advised to disable JavaScript in Adobe Reader and Acrobat as cybercriminals are sure to take advantage of this unpatched vulnerability. To do this, follow the steps below.

1. Click Edit > Preferences.
2. In the left panel, select JavaScript.
3. Untick the Enable Acrobat JavaScript option.
4. Click OK.

In addition, Adobe also plans to release an automatic/silent updater that will automatically patch systems even without user intervention. This will hopefully lessen the number of users who can be victimized by attacks employing exploits for already patched vulnerabilities.

Trend Micro protects users from this threat via the Smart Protection Network, which detects all related malicious files. OfficeScan users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF003885 filters.

Post from: TrendLabs | Malware Blog - by Trend Micro

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild