On November 27, Microsoft issued a security advisory regarding the recent discovery of a zero-day vulnerability in a kernel component of Windows XP and Windows Server 2003. The advisory states that the Microsoft Windows Kernel 'NDProxy.sys' Local Privilege Escalation Vulnerability (CVE-2013-5065) can allow an attacker to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers.
Symantec is aware of the attacks attempting to exploit the vulnerability and confirms the attacks have been active since the beginning of November. The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_?107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker.
Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer which Symantec detects as Trojan.Wipbot. This Trojan collects system information and connects to a command-and-control (C&C) server. Symantec telemetry is currently reporting a small number of detections for malicious PDFs in various countries including India, Australia, United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.
Figure. Distribution of attacks exploiting the vulnerability
Symantec may also detect this attack as Trojan.Pidief and Suspicious.Cloud.7.F. The following antivirus detection and Intrusion Prevention System (IPS) signature has also been added to detect the exploit code and block any downloads:
No patch is available for the Windows vulnerability, however, Microsoft has provided a workaround in its security advisory.
As always, we recommend computers be kept up to date with the latest software patches and to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.