Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - JJ Reyes (Advanced Threats Researcher)

    Trend Micro threat analysts were alerted to the discovery of a zero-day exploit that affects Adobe Reader and Acrobat 9.1.3 and earlier versions (CVE-2009-3459). Trend Micro detects this as TROJ_PIDIEF.UO. This .PDF file contains an embedded JavaScript, which Trend Micro detects as JS_AGENTT.DT. This JavaScript is used to execute arbitrary codes in a technique known as heap spraying. In addition, there is a possibility that a future variant may be created that does not use JavaScript to exploit the said vulnerability.

    Based on our findings, the shellcode (that was heap sprayed) jumps to another shellcode inside the .PDF file. The said shellcode then extracts and executes a malicious file detected by Trend Micro as BKDR_PROTUX.BD. The said backdoor is also embedded in the .PDF file and not the usual file downloaded from the Web. Protux variants are known for their ability to provide unrestricted user-level access to a malicious user. Earlier variants of the Protux backdoor were seen to have been used as payload in previous attacks exploiting vulnerabilities in Microsoft Office files.

    Click Click

    As of this writing, Adobe has indicated that it will include this vulnerability in its upcoming security update release. Meanwhile, users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:

    1. Run Acrobat or Adobe Reader.
    2. Go to Edit > Preferences.
    3. Select JavaScript under the Categories tab.
    4. Uncheck the “Enable Acrobat JavaScript” option.
    5. Click OK.

    Users are also advised to patch their systems as soon as Adobe releases the security patch. Trend Micro protects users with the Smart Protection Network by detecting the said exploit.


    Cyber criminals have now updated their PDF exploits to include the getIcon() vulnerability (CVE-2009-0927). We currently detect this as TROJ_PIDIEF.OE.

    As usual, we highly encourage users to update now to the latest versions of Adobe Acrobat and Adobe Reader (if you haven’t yet). Reading the security advisory by Adobe closely, we see that this issue was previously fixed in version 8.1.3 but not for version 9.0:

    The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927)




    10:56 am (UTC-7)   |    by

    Or ‘Yet Another Excel Exploit’. A post was made yesterday to
    Full-Disclosure on a(nother) 0-day for Excel. And yes, code
    execution is possible. This time, a user needs to open the file and
    click on a (specially-crafted, a buzzword nowadays)link specified
    inside the file to trigger the exploit. Same safety-precautions
    apply when a 0-day is out:

    Do not open Microsoft Excel files that you
    receive from un-trusted sources.

    This vulnerability could be exploited when a user opens an Excel
    file and clicks on a specially-crafted link inside the file. Excel
    files from trusted sources or Excel files that are known to be
    trusted can continue to be used.

    *slightly modified Suggested Action from Microsoft.

    Trendlabs is currently in the process of creating a generic
    pattern for this exploit.

    Posted in Bad Sites | Comments Off on YAEE

    According to Internet Storm Center (ISC), a 0-day in MS word was used in a targetted attack against a certain company. We’ve also received a customer inquiry, and yes, we are aware of it.

    I’ve sent out a request for the sample, and hopefully, we’ll have it by today.

    Update(Jovs, 20 May 2006 00:48:01)

    We have just acquired a sample for this which is now being processed by our Engineers. I will soon update this blog with the malware name.

    Update(Jovs, 20 May 2006 05:38:59)

    I just received word that this malware will be detected as W97M_MDROPPER. As of now there are already two variants of this malware namely W97M_MDROPPER.AB. and W97M_MDROPPER.AC

    Posted in Bad Sites | Comments Off on 0-day MS Word used in targetted attack

    Yes, obviously a copy-pasted title, and this one is from PC Magazine.

    To summarize, the author discusses how and what Security Vendors should do in order to keep Microsoft at bay (coming from an end-user, that is).

    And oh, a quote:

    “Trend Micro has all the right tools in the box, but its antispyware component is a major disappointment.”

    But hey, our antispyware is still improving and will improve (of course!). And we have “all the right tools in the box”. Still, not a bad description and plus-points for us.

    Read it here.

    Posted in Bad Sites | Comments Off on “An Open Letter to Security Vendors”


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice