Zero-day season is far from over as reports indicate that an exploit was found targeting zero-day vulnerabilities for certain versions of Adobe Reader. This discovery came on the heels of the recent Adobe Flash Player incident that occurred last week.
In the related samples we gathered, the exploit is disguised as a .PDF file (detected by Trend Micro as TROJ_PIDIEF.KGM), which is crafted to target still unpatched vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe PDF Reader versions 9, 10, and 11. Once executed, it drops the .DLL file TROJ_INJECT.CPX along with the non-malicious file %User Temp%\Visaform Turkey.pdf. The said file is dropped as a way to hoodwink users into thinking that the specially crafted .PDF file is non-malicious.
However, in the exploit sample we analyzed, we noticed that it also drops malicious .DLL file designed for 64-bit machines (detected by Trend Micro as TROJ64_INECT.CPX). The people behind this threat may have included this 64-bit malware in an attempt to evade detection by anti-malware programs.
To address this issue, Adobe is currently working on a security advisory. The software vendor promises to release updates to address this issue. For the latest developments regarding this incident, readers may check Adobe’s blog.