Tag Archive | FireEye

Adobe Releases Emergency Patch for Adobe Reader

Adobe has released its emergency patch after a string of events in the past nearly ten days on dealing with a zero-day vulnerability. This was originally reported by FireEye in a blog post.

The FireEye blog stated the following:
“Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.”

After that was published, the FireEye researchers sent the bug report & sample to Adobe. Soon after, Adobe released a notification that there is a problem.

Eventually, Adobe detailed this past weekend that a patch would be available next week…well it’s here.

Adobe released its patch yesterday, in efforts to remediate the situation.

According to Adobe, the following versions are now available:

  •  Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
  •  For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
  •  For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
  •  Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
  •  Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
  •  Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
  •  Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4.

 

Kelihos Botnet Appears Again with New Variant

Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.

This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.

Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.

“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.

Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.

Java releases Update 7 for Java 7, and Update 35 for Java 6

Oracle did what all of us were hoping they would do – release an out-of-band patch for the latest Java zero-day vulnerability. The new version of Java, 1.7.0_07 and 1.6.0_35, both fix the vulnerabilities mentioned in CVE-2012-4681.

If you need Java we recommend that you install this update immediately. If you have no need for Java we recommend that you uninstall Java all together instead if you haven’t already done so. More information from Oracle about the vulnerability and patch is available in their security alert.

Information obtained from Websense and other communities.

%d bloggers like this: