[nsp-sec] Adobe Reader 0day

Fri Feb 20 18:50:28 EST 2009

I appear to have committed a greater sin than just fubar-ing the format
on these domains/Ips in my sleep-deprived state this morning.  In my
haste to get these assembled, I accidently included two domains that
were involved in older adobe-related incidents, and NOT the 0day
activity.

Msus.6600.org and cpos.8800.org are not believed to be associated with
the 0day exploitation, and should not have been included in the list I
put out.

Sorry for the inaccuracies.

V/R,
Matt Swaar
US-CERT Analyst 

-----Original Message-----
From: Swaar, Matthew 
Sent: Friday, February 20, 2009 4:15 AM
To: Swaar, Matthew; 'nsp-security at puck.nether.net'
Subject: RE: Adobe Reader 0day

Futile attempt to correct formatting likely follows:

jmyp.8800.org (123.120.99.37) on port 80 and 21 shareitok.51.net
(219.232.224.95) hXXp://cpos.8800.org/logo.php (211.115.80.147)
msus.6600.org js001.3322.org (222.35.136.119) 

V/R,
Matt Swaar 

-----Original Message-----
From: Swaar, Matthew
Sent: Friday, February 20, 2009 4:13 AM
To: Swaar, Matthew; 'nsp-security at puck.nether.net'
Subject: RE: Adobe Reader 0day

Domains/Ips that US-CERT believes may have been associated with specific
attacks:

(These were back-channels / drops, not the IP the e-mails attacks
originated from)

jmyp.8800.org (123.120.99.37) on port 80 and 21 shareitok.51.net
(219.232.224.95) hXXp://cpos.8800.org/logo.php (211.115.80.147)
msus.6600.org js001.3322.org (222.35.136.119)

V/R,
Matt Swaar
US-CERT Analyst 

-----Original Message-----
From: Swaar, Matthew
Sent: Friday, February 20, 2009 3:40 AM
To: nsp-security at puck.nether.net
Subject: Adobe Reader 0day

For those that haven't seen this yet:

http://www.theregister.co.uk/2009/02/20/adobe_reader_exploit/
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
http://www.adobe.com/support/security/advisories/apsa09-01.html

I can confirm that there is active (targeted) exploitation taking place.

V/R,
Matt Swaar
US-CERT Analyst