The Latest in IT Security

PDF Malware Writers Keep Targeting Vulnerability


We keep seeing new waves of PDF file-based attacks that exploit the Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) that exists in certain unpatched versions of a popular PDF reading application. All these attacks were stopped by Symantec’s Skeptic™ technology

A typical example of such an exploited PDF sample contains highly obfuscated JavaScript, as shown in figure 1.

Figure 1: Portion of obfuscated JavaScript

The JavaScript was embedded in an XFA object (object 8 in the above figure) in an Acrobat Form. The JavaScript manipulated a subform field by using a reference to an embedded element, “qwe123b” in the example. When such an exploited PDF sample is loaded into the vulnerable PDF reading application, the XFA initialize activity is triggered and the embedded JavaScript will be called. After manually de-obfuscating it, we were able to extract the hidden JavaScript (figure 2).

Figure 2: Portion of extracted hidden obfuscated JavaScript

Further analysis shows that the JavaScript actually exploits a known vulnerability – Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) – where an invalid value in a tagged image file format (TIFF) image generated by the JavaScript corruptsthe TIFF parser (LibTIFF) in certain unpatched versions of a popular PDF reading application.

Similar to the findings presented in one of our previous blogs the JavaScript does a few things as well:

  1. Determines the current version of the PDF reading application and constructs the correct exploited TIFF file and shellcode.
  2. Sprays the shellcode into memory.
  3. Assigns the exploited TIFF image to the "rawValue" of the pre-defined form element to trigger the vulnerability when the image gets displayed.

It is interesting to note that the version of the PDF reading application being exploited will be converted to a huge integer and compared to a certain threshold which represents one of the application versions. This is probably designed by the malware writer to confuse malware analysts and/or antivirus (AV) scanners. In this instance, we also notice that the generated TIFF images and shellcode remain the same regardless of the PDF reading application version.

A portion of the extracted hexadecimal encoded shellcode is shown in figure 3.

Figure 3:Portion of the extracted hexadecimal encoded shellcode

When examining it further, it shows that there is a URL at the end of the file (figure 4).

Figure 4: Malicious executable file link in shellcode

It clearly shows that a malicious executable file will be downloaded once the shellcode gets executed successfully. Unfortunately, the malicious file link only existed for a very short time and we have been unable to retrieve the actual executable sample as yet.

Symantec.Cloud has protected our customers from all such attacks. Our analysis reveals that Skeptic™ has successfully blocked over ten thousand PDF files with such exploits in the past two weeks (figure 5). It clearly shows that the attacks were carried out in several main waves spread over the period detailed in the figure. The most aggressive attack was launched on the 16th of February, which saw over 3,000 hits in one run, followed by the attack stopped on the 6th of the same month.

Figure 5: PDF attacks through emails stopped by Symantec.Cloud over a period of two weeks

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments