iThreats

Exploited PDFs has been prevalent attack vector for awhile now but only in Windows but never been in Mac.

I had discussed this here, the prevalence, “util.printf()“, Virut generated PDFs and now the Zero day.  This zero day vulnerability exist in Adobe Reader 9.0 and earlier and Acrobat 9.0 and earlier version. Unfortunately, this flaw remains unpatched as of the moment – as announce in advisory “Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009.”

Here’s few recommendation to avoid this attack:

Mac Users:

1) Go to Application folder and look for Adobe Reader  and execute it.

2) Once open, click “Adobe Reader” and “Preferences” – or use shortcut key by pressing command and comma (,)

3) In Categories, click “Internet” and look on Web Browser options and uncheck “Display PDF in browser…”

4) Again in Categories, click “JavaScript” and look on JavaScript options and uncheck “Enable Acrobat JavaScript”

5) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

6) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

For Windows users:

1) Prevent your default browser from automatically opening PDF documents. To do this, open your Adobe Reader by clicking on Start > All Programs > Adobe Reader <x> (where ‘<x>’ is the version). Once open, click Edit > Preferences, and uncheck Display PDF in Browser.

2) Disable JavaScript in Adobe Reader and Acrobat. Click Edit > Preferences and uncheck Enable Acrobat JavaScript.

3) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

4) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

Take note that this vulnerability does not require Javascript to exploit. However, for attackers crafting PDF to get into users’ machine requires script to sucessfully execute its payload (base on exploited PDFs, I’ve seen),  so it is best to disable it!

Please feel free to drop by and comment if this has been helpful to you! Also, if you have found suspicious websites or file, don’t hesitate to send it through @ meths101 (at) optusnet (dot) com (dot) au. Definitely, this will help other users!

SPIM are spams through Instant Messaging.

These are now becoming prevalent threats. They are annoying and unfortunately if  user falls into their tricks, it could lead to phishing sites and/or installation of malwares.  Check out this blog post from CA.

In my past blog “Your MSN Account Has Been 0WN3D“  I have described how phishers get into your IM credentials.  Apparently, they are everywhere supporting different languages as I have shown in this post “Identity Theft And Your MSN Account“

Aside from phishers, spammers and possible malware you can get is the emerging trend of malicious Chatterbots.

Let say in YM and you surf around and join chatrooms, you’ll find these chatterbots will immediately PM you.  Obviously, you can spot if the other end is real or not but there are good ones that you won’t easily recognize as chatterbots. You’ll find later during your conversation that these bot will start to send a link or sometimes will require you to install something.

One example is like this… you join YM chatroom and somebody will send you a request as shown below.

After entering the conference room, you’ll find that it’s only you and the chatterbot.

It’s funny ‘coz it will start popping up some links and once you reply, it will just exit.  **Thanks to Astr0 for the screenshots!**

Be careful and stay away from these threats!

With significant rise of malwares employing autorun.inf to execute and spread, Microsoft pushed a solution by disabling autorun registry key through Windows Update and Automatic update.  Please refer all the details from this url:  http://support.microsoft.com/kb/967715

Here’s an instruction to do it manually.

How to selectively disable specific Autorun features

To selectively disable specific Autorun features, you must modify the NoDriveTypeAutoRun value under the following registry key subkey:

Personally, I prefer 0xFF value which disables autoplay on all kinds of drives. The draw back here is when you are installing from CD ‘coz you have to manually execute the setup instead of automatically running it. The good thing, you’ll be safe from autorun malwares!