SecIT
@optonline.net
1 edit
 from:
redwolfe_98 
| Pdf out of nowhere
vista 64 bit home premium all updates
was browsing and out of the blue this thing comes up asking if i want to open a pdf or save it somewhere
it said a pdf from uvh.lileiw.info
But this is not the first time i got a message asking to download some random pdf...
what the heck is going on? |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
1 edit | It may be a PDF exploit, trying to infect you with malware. Never, ever open any file that you are suddenly prompted to run or download. Unless you expected it, know what it is, and that it's safe. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to SecIT
It almost certainly is a PDF exploit. The only other way such a prompt to open or save a PDF would occur would be if you were to click on a link to such a file (and any legitimate PDF is likely going to be properly identified on the site offering it for download or viewing.)
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
jeno
@bellsouth.net
| reply to SecIT
Is your Adobe Flash and Acrobat/Reader updated to the latest? Better get on it...
YA0D (Yet Another 0-Day) in Adobe Flash player:
»isc.sans.org/diary.html?storyid=6847
More info:
»www.google.com/search?client=fir···e+Search |
|
SirMeowmix_III
@windstream.net
| reply to SecIT
I literally saw this exact exploit this morning. d2.Zedo.com served the ad which originated from ad.yieldmanager.com which was served from foxnews.com.
A hostile PDF is downloaded:
I obtained a sample and submitted it for analysis, the payload served from PDF execution is detailed below:
»www.virustotal.com/analisis/9bc9···49562538
If your AV did not detect this assume you are affected. It is a Vundo variant. I also saw an additional payload come down but was unable to obtain a sample, it could have been second-stage infection. |
|
SecIT
@optonline.net
| reply to SecIT
But the funny part is i have no .pdf software to read it.
And it's happened in the past before too. I had the reader but i got the prompts but i clicked Cancel then i just uninstalled adobe.
The thing is am i infected with something? I have no clue what to check for. And i don't use anti virus because i don't download any .exes from the net. I don't download anything to be honest |
|
SirMeowmix_III
@windstream.net
| reply to SecIT
Re: Pdf out of nowhere
If the PDF opened or was visible at any point, you are infected. No AV? No coverage by your vendor? You are infected.
Doesn't matter if you "download or not", a vulnerability was exploited, a download was forced, and execution likely occurred.
Sorry. I've got a full PCAP of the session, including the hostile PDF, and like I said, I saw two binaries come down. Dollars to donuts you got hit with the same thing since the end-point was the same.
Note the second-stage infection around 7:19.
|
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to SecIT
If you really do not have any PDF software like Adobe Reader, Foxit Reader, or anything of the sort, installed on your system then a PDF exploit would not be able to infect you. It's kind of hard to exploit something that isn't there. In this case, there's no sign of any vulnerability being actually exploited. You got a download dialog. If there had been a successful exploit, there would have been no dialog, the PDF would have opened automatically and would have infected you. If you clicked cancel on the dialog, nothing should have happened.
With only this information, one can't tell for sure, though. But, there's all sorts of things you can do to start checking. For example, we have a Security Cleanup forum here for cleaning up infections. But first, there's a list of actions to perform before posting there. »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance Basically, scan the system with a whole lot of various anti-malware products. After that, here's the Security Cleanup forum: »Security Cleanup
--
Limited User Accounts.
Software Restriction Policies. How about the short version? |
|
SecIT
@optonline.net
| reply to SecIT
Ouch...
Eh anyway i downloaded Kaspersky internet security and updated and put all the scan settings on high and heuristics on high.
Im gonna scan now
SirMeowmix_III what os are you using?
Does this exploit work on vista 64 bit with uac on.
I'm just really paranoid now. |
|
SirMeowmix_III
@windstream.net | reply to SecIT
Post-infection scanning may and likely will turn up false negatives.
I am using Apple OSX. I am a huge Apple fan. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to SecIT
PDF exploits require you to be running a vulnerable PDF software targeted by the particular exploit - otherwise they cannot be successful. There have been many vulnerabilities in Acrobat Reader, for example, but many have been patched, and exploits against those patched vulnerabilities will no longer work, unless you continue to use an old and unpatched version of the PDF software. The latest version of Adobe Reader is 9.1.3.
I repeat, if you do not have any PDF software on the system, there is no way that any PDF exploit could infect you. They work by exploiting vulnerabilities in PDF software. If you have no PDF software, there are no PDF software vulnerabilities to exploit on your system. If you're running Vista x64 with UAC, it's even less likely that you were infected by any PDF exploit. Quite a lot of malware doesn't work right in x64 and a lot is broken by UAC.
Antivirus scanners may cause both false negatives and false positives: sometimes they miss a malware and say things are clean when they're really not, and sometimes they falsely detect a clean file as malware. Still, they're pretty decent at detecting extremely widespread stuff like Vundo. And, you can use multiple scanners by taking advantage of the online scanners. (It's not a good idea to install multiple AV scanners on the same system - may cause conflicts.) Beyond AVs, you can use various tools to look for anything untoward in your system, if you have a bit of knowledge. Tools like Process Explorer and Autoruns ( get them here: »technet.microsoft.com/en-us/sysi···ult.aspx ) can show you what processes are running and what is set to autostart with Windows. Often, malware processes and autostarts can be discovered with these tools, if you know what to look for. If you're unfamiliar with them, they won't be that useful. There is the Security Cleanup forum for people who have trouble getting their systems cleaned after an infection. But in this case, there is not yet any proof of infection. In your case, to achieve a peace of mind, I would follow the instructions (Mandatory Steps Before Requesting Assistance) I linked to in my previous post, and after that post in the Security Cleanup forum if you still fear you're infected.
--
Limited User Accounts.
Software Restriction Policies. How about the short version? |
|
SirMeowmix_III
@windstream.net | reply to SecIT
I missed this crucial statement: asking if i want to open a pdf or save it somewhere.
Based on this, I fully agree with Tuulilapsi, and doubt you are infected in this instance. |
|
Woody79_00
join:2004-07-08
united state
| reply to SecIT
I doubt your infected because of a PDF exploit
you must have PDF software installed (IE Foxit, Adobe, etc) it can't exploit what isn't there and that in itself prevents the payload.
I would recommenced getting "at least" an Anti-virus if running Windows.
I recommend Avira Free Edition...it has the best detection of the bunch, and is pretty lightweight and can be had for free....paired with Windows Defender will help somewhat. |
|
Millenniumle
join:2007-11-11
Fredonia, NY | reply to SecIT
I found a site that will render PDF's and display them as gif files.
»view.samurajdata.se/
So if you only have occasion to open and view a PDF you can forgo PDF software altogether. |
|
Kromm
@hostmonster.com | reply to SecIT
Did you have Acrobat uninstalled before you went to that site?
Also, have you tried malwarebytes? |
|
mike31mets
join:2004-10-30
Bronx, NY
| reply to SecIT
I've had PDF files try to open via FireFox a few times. Luckily I stopped using Adobe Reader a while back and switched to Foxit Reader which doesn't open up in FireFox for PDFs (the way I set it). I've set it to download rather than open every time to avoid malicious PDFs trying to open up automatically. You never know what links you might be clicking on in the interwebs. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25 | reply to SecIT
Saw it this morning too. I forgot which PC it was. |
|
