Threat and cybercrime trends: Adobe software vulnerabilities

Exploiting vulnerabilities in well-known software and Web applications has become the norm in today’s threat landscape. Last month saw hackers attempting to exploit un-patched bugs in Adobe Flash Player, Reader and Acrobat. Assuming you are not familiar with security terminology, we will attempt to make this a little easier for our readers. If you have any concerns or questions, please contact us.

What exactly is a vulnerability?

Vulnerabilities are weak points in software or operating systems that allow remote attackers to exploit systems in order to execute malicious commands. Application bugs exist due to programming oversight, misconfiguration, or other factors, and cybercriminals waste no time in taking advantage of vulnerable systems.

A few weeks ago, TROJ_ADOBFP.SM was identified as taking advantage of a known vulnerability in certain Adobe products. It drops a malicious file detected as TROJ_DROPPER.ADO into infected systems, which then drops a backdoor program detected as BKDR_COSMU.KO.

What is a backdoor program?

Backdoor programs silently execute malicious commands on compromised systems without the users’ knowledge. BKDR_COSMU.KO tries to connect to a remote URL to execute certain malicious commands. It also steals information from the affected systems such as drive information, OS, file or directory list, as well as a list of existing processes and services. Additionally, it allows attackers to execute malicious commands and take control of infected systems. When this happens, an infected system can either freeze or crash.

Just last week, another zero-day vulnerability in Adobe Flash Player was found. This time, cybercriminals sent out spam with a Microsoft Word file attachment. The attachment aka TROJ_MDROP.WMP named ‘Disentangling_Industrial_Policy_and_Competition_Policy.doc’ had been embedded with a malicious .SWF file detected as SWF_EXPLOIT.WMP. Opening the attached file executes the .SWF file, which results in the exploitation of the Adobe Flash Player vulnerability.

After successful exploitation of the vulnerability, TROJ_MDROP.WMP drops a backdoor program detected as BKDR_SHARK.WMP into infected systems. This file is capable of executing commands like retrieving an infected systems’ OS version, switching user profiles, downloading and uploading files, and other malicious routines.

Adobe is expecting to release the corresponding security patches sometime within the month.  For customers using Trend Micro Deep Security, coverage against this vulnerability will become available from Tuesday 26th April. Rule name: 1004647 – Restrict Microsoft Office File with embedded swf

As software publishers like Adobe cannot immediately release patches to secure zero-day exploits, they will continue to give cybercriminals an opportunity to compromise users’ systems. As patches can take days, weeks, or even months to be released, we recommend users take the following steps to mitigate risk.

Practice extreme caution when dealing with email messages – especially those from unverified sources that contain attachments.

Be extremely wary of the websites you visit – the malware from which the entire infection chain originates usually arrives via malicious sites.

Refrain from downloading unknown files – malware can reside in any file type; only open files from known sources to stop the infection chain before it begins.

For more information read this Adobe Security Bulletin.


About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: