Adobe may well be hooking up that do-it-yourself butt-kicking machine right now, as the exploit that was shown has now gone from possibly exploited to “oh-boy-isn’t-this-fun” screwing up the machine status.
Security researchers are now security reporters, letting us know that the Zeus botnet has begun attacks on user’s machines, infecting them with malicious code that adds the attacked machine to the ever-growing botnet.
While Adobe did warn everyone to remove the ability for executable code to run on Windows machines, it is hardly the same as putting out an update that went full screen, telling the user that their machine was having the change made, and that, unless they were in the expert category, it should be left that way until further notice.
Some may say that this paternalistic method of care is not giving the users enough credit, but I would say it is giving them exactly the correct amount of credit, because, though many are not stupid, those not stupid are, by and large, lazy in many respects, and upkeep of the computer is one area of tremendous neglect.
A PC World article delivers more of the bad news -
The Zeus botnet is now using an unpatched flaw in Adobe’s PDF document format to infect users with malicious code, security researchers said.
The attacks come less than a week after other experts predicted that hackers would soon exploit the “/Launch” design flaw in PDF documents to install malware on unsuspecting users’ computers.
The just-spotted Zeus variant uses a malicious PDF file that embeds the attack code in the document, said Dan Hubbard, CTO of San Diego, California-based security company Websense. When users open the rogue PDF, they’re asked to save a PDF file called “Royal_Mail_Delivery_Notice.pdf.” That file, however, is actually a Windows executable that when it runs, hijacks the PC.
Just a few seconds of user attention would have taken care of it. If Adobe had done the work to make its own executable, to do the work required may have taken at most 5 hours, including the 4 hours of testing to make sure that it did no harm. Does anyone think that doing that would save the company much trouble, and assessment of blame now?
Zeus is the first major botnet to exploit a PDF’s /Launch feature, which is, strictly speaking, not a security vulnerability but actually a by-design function of Adobe’s specification. Earlier this month, Belgium researcher Didier Stevens demonstrated how a multistage attack using /Launch could successfully exploit a fully-patched copy of Adobe Reader or Acrobat.
Stevens was not the first to reveal the /Launch vulnerability. In August 2009, a module using the same flaw was added to the open-source Metasploit penetration testing kit, said HD Moore, Metasploit’s creator and the chief security officer at Rapid7. “Colin Ames of Attack Research wrote this module as part of his Black Hat USA presentation,” said Moore. “Didier’s work was independent of what we already had, but uses almost the same method at its core.”
Today, Stevens said that the Zeus attack Trojan was actually using the Metasploit module. “From what I can read, the new Zeus PDF actually uses a [Metasploit] Adobe PDF exploit,” Stevens said on Twitter , pointing to another description of the new attack by M86 Security of Orange, Calif.
Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, that’s not enough to stop users from launching the bogus document, said Websense’s Hubbard. “No one is blanket-blocking PDFs at the gateway,” he said. “There’s so much business value in PDFs, and they’re very pervasive.” In other words, people trust PDFs, he said — much more even than some other popular document formats, such as Microsoft Word.
I think that opinion is now changing at every place that has been attacked, and though the users should hold themselves to blame, I think that thinking people are aware how that blame ratio will work out.
Websense has tracked several thousand Zeus attacks using the embedded malware and /Launch function. “The attacks are still going on,” Hubbard said.
While the attack technique may be new, the behind-the-scenes malware and the gang that produces it is standard Zeus fare, Hubbard continued. Zeus is best known for planting identity theft code on victims’ PC to steal, for instance, online banking logon usernames and passwords. “The motives aren’t any different here,” said Hubbard.
Last week, Mickey Boodaei, CEO of security company Trusteer, bet that the /Launch function would be quickly exploited by hackers to infect PCs with financial malware. Stevens has not released proof-of-concept attack code, but Trusteer’s engineers were easily able to duplicate his attack. Zeus’ creators seem to have taken an even quicker shortcut by grabbing code from Ames’ Metasploit module.
“This definitely gives them another tool in their arsenal,” added Hubbard, referring to the Zeus botnet operators.
Now that Zeus has weaponized the /Launch tactic, other hackers will likely pick it up as well. “That’s not uncommon,” said Hubbard, “especially if there’s a Metasploit module for it.”
Adobe did not immediately reply to questions about whether Zeus’ use of /Launch in rigged PDFs would prompt the company to release a patch for Reader and Acrobat. Previously, Adobe has acknowledged the bug, but has not committed to producing a patch. Instead, the company has urged users to change Reader’s and Acrobat’s settings to disable the vulnerable function .
Since then, Brad Arkin, Adobe’s director for product security and privacy, said that one way the company could address the issue would be to update Reader and Acrobat so that the feature is disabled. Currently, Adobe’s software turns on the /Launch function by default.
Adobe has posted instructions on how to configure Reader and Acrobat to stymie the attacks that Zeus is now conducting.
Once again, Adobe proves that either they are not understanding the problem fully, or giving the customers too much credit. Though it would be costly, getting word out on the news, by television, radio, internet, and even Twitter, would be the best way to handle this. Has time not taught every adult that when a problem occurs, getting out in front of it, and taking the correcting steps at once, is the best method of dealing with it?
Come on Adobe, you need to put out that executable, that makes the changes on the users machine, and holds their hand through the process of implementing the download, and execution. The users will thank you, and though they might soon forget your efforts, it is much better than the long memories of people that blame a company for doing nothing as they were attacked through your software.
The world is full of sheeple, stupid or lazy, or both, and more than ready to blame Adobe for the attacks on their machines.
Sun, Apr 18, 2010
Technology News