SeffyGHops

Adobe 0-day Attack - Using Security Analytics to detect Zero Day exploits

Blog Post created by SeffyGHops Employee on Feb 14, 2013

NOTE: This blog is being posted on behalf of Alex Cox, Principal Research Analyst on the RSA FirstWatch team.  To read more of the FirstWatch team's blogs you can visit their RSA Speaking of Security blog page: http://blogs.rsa.com/author/rsa-first-watch-team/

------------------------------------------------------------------------------------------------------------------

 

As reported today, yet another zero-day exploit in Acrobat Reader is being used in the wild in targeted attacks.  Details can be found here:

 

http://www.pcworld.com/article/2027946/researchers-zero-day-pdf-exploit-affects-adobe-reader-11-earlier-versions.html

 

As is the case in most of these situations, RSA FirstWatch begins analysis of such threats as soon as they are discovered, and this threat is no different. 

 

One of the things that the team did in regards to PDF exploits was to profile the most common methods and techniques for PDF-based exploitation and document them.  These techniques were then developed into a FlexParser for the RSA Live (aka NetWitness Live) library.


The good news is that the Adobe Zero-Day uses a common “Open” action when exploiting the target workstation and this is detected forensically on the wire using our parser.  While this particular action is not always malicious, it’s unusual enough that it’s worthwhile to look for it in your network traffic on a regular basis.

 

To detect this attack (and others like it, zero-day or otherwise), use the following pivot in Security Analytics, or NetWitness Investigator:

 

  1. risk.info = “pdf with open action”

 

 

....which will be displayed as follows in the RSA Security Analytics “Investigation” view or in NetWitness Investigator:

https://community.emc.com/servlet/JiveServlet/showImage/102-18196-48-54584/alexadobe1.png

 

 

If we then reconstruct the session we get additional details:

https://community.emc.com/servlet/JiveServlet/showImage/102-18196-47-54577/alexadobe2.png

 

 

For RSA Live (aka NetWitness Live)  customers that want to make sure they have this parser loaded, please look for the following in your RSA Live subscription:

 

https://community.emc.com/servlet/JiveServlet/showImage/102-18196-48-54585/alexadobe3.png

 

 

In the name of responsible disclosure, we can’t release additional details on the exploit at this time, but this detection offers a generic way for our customers to inspect suspicious PDFs in lieu of a patch from Adobe and/or additional public indicators.


 

Happy Hunting!


 

- Alex Cox, Principal Research Analyst,  RSA FirstWatch

Outcomes