McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 


McAfee Research Blog

New Zero-Day Attacks Use PDF Documents

July 23th, 2009

As we already mentioned multiple times in the past, exploits that take advantage of newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence shows zero-day attacks remain the preferred choice of cybercriminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild. It takes advantage of a new feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or later.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted SWF files were embedded into PDF documents. These can cause Adobe Reader to execute arbitrary code when viewed. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

Shellcode created by FWS

It first gets a KERNEL32.dll image base using the Windows PEB structure, sets up the required Windows APIs, then decrypts and executes its malware payload. This specific malicious PDF file contains three embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE and sends the information gathered from the infected machine to a free host-redirection service based in China:

  • [blocked].3322.org
  • [blocked].2288.org

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the Rich Media annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can support only up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not be vulnerable to this attack.

Although details of this vulnerability have not yet become public, more attackers are likely to take advantage of this weakness. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (released July 21).

Even though anti-malware vendors continue to add detection for new zero-day threats, there are several things you can do to mitigate such risks. Refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)


Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.