For the last two weeks we have been noticing significant increase of PDF exploit attacks being distributed by email with an attached PDF document posing as a fake invoice.
However, closer examination of the PDF file has shown that the exploit uses a two-year-old classified as CVE-2010-0188. Why would anyone use so old an exploit? Well affected applications are:
– Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
– Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh
There are still many people using these versions so there is a big chance for attackers to catch some fish and such an old exploit kit will cost almost nothing in comparison with zero day exploits.
The exploit itself is encoded in “Keyword” parameter and is decoded using simple “parseInt” function with unusual 0x1D (29) numeral system:
Shellcode is stored in the document’s “CreationDate” parameter as pure hexadecimal string. Converting this string to binary form will allow us to analyze shellcode directly skipping the exploit part. Shellcode firsts determine image base address of NTDLL.DLL library via PEB_LDR_DATA structure and then searches for specific code: 0C330408Bh
This is used in algorithm to calculate various functions (LoadLibrary, WinExec, TerminateThread, GetTempPath and VirtualProtect, URLDownloadToFile) from system libraries:
When necessary addresses of functions are retrieved from KERNEL32.DLL system library (image base address is also retrieved from PEB_LDR_DATA) address is again obtained from PEB, it tries to download and execute malicious files from the
URL specified at the end of shellcode:
These URLs may vary for different PDFs using the same exploit and shellcode. The downloaded malicious executable file is a stealer-type of application that steals sensitive data like web site, email logins or internet banking information.
This malware is detected by AVG as variants of Trojan horse Zbot or variant of Trojan horse PSW.Generic.
Lessons learned
What do we take from this? Keep your system and all applications such as Adobe Reader, Acrobat, Flash Player, Java and your favorite internet browser updated to the latest version.
If it’s possible, then have the auto-update feature of these programs turned on as the latest versions of these applications are not affected by this exploit.
This hash of the malicious PDF document is 1A95282CEFBD8314FC2CCD2CA42F2A15 and is detected by AVG as Trojan horse Exploit_c.VRA. Downloaded files are detected as Trojan horse Cryptic.
blog post by the AVG Viruslab Research Group
Leave a reply
