With contributions from Manoj Venugopalan, Senior Malware Analyst, Symantec
Introduction
A new day and a new zero day PDF exploit used in a Targeted attack which our Skeptic heuristic engine stopped. This one exploits a vulnerability in the 3D engine in Adobe Reader (CVE-2011-2462 http://www.adobe.com/support/security/advisories/apsa11-04.html) which is often used to display a 3D wire mesh object that you can rotate and view from all angles in real time. An architect might use it to mock up a plan for a building that the customer can view from within the PDF, very cool. However, the more functions you add to your software, the more chance there is to exploit the format.
Details
The targeted attack against Adobe Reader 9.4.6 on Windows was sent in 5 emails originally on the 1st December with another 16 being sent on the 5th December. Standard fair for a targeted attack, it’s coming from a free webmail service with no spoofing involved.
There were 3 X-Originating-IP’s of the computer that connected to the webmail service that sent these attacks, all located in the United States and all appear to be compromised machines, 1 appears to be a mail server, 1 a web server and the last one is simply stated as a static IP according to the DNS lookup.
Social engineering wise, they are pretending to be a government agency sending out a new contract guide for contractors of that agency.
It’s actually quite well written, which is sometimes rare in these kinds of attacks, although it’s lacking in any personal or departmental email signatures, with the exception of the “This email message is for the sole use of the intended recipients” disclaimer message.
The attackers have also bypassed the free webmail services own signatures that state something to the effect of “Use [name of free webmail service].com for free emails” or other advertisments that are sometimes added to the bottom of webmail emails you send.
News reports state that this exploit has been used in attacks to defence contractors, we’ve also seen other industry types being attacked too, including the following:
|
Industry Sector
|
Number Blocked
|
Company 1
|
Telecoms
|
2
|
Company 2
|
Wholesale
|
1
|
Company 3
|
Manufacturing
|
7
|
Company 4
|
Computer Hardware
|
2
|
Company 5
|
Chemical
|
9
|
This is a new zero day and they aren’t using it for one specific target, they are trying several while still keeping the numbers low so that it hard to spot.
Technical Analysis
Currently, the malicious PDF sample crashes after invoking A3DUtility.exe (Adobe Reader 3D Utility) as this specific PDF contains a corrupted compressed object, this means that the malware currently isn’t working. This error is also making it difficult to extract the executable the malicious PDF should drop:
The PDF contains a U3D object which is compressed using common deflate compression method:
Like many other Adobe Reader exploits, this PDF contains a Java script, which is highly obfuscated using multiple variable references and loops. As this is U3D memory corruption vulnerability, the attacker used heap overflow by loading an array with a huge string. The string contains hex strings for padding followed by the shell code:
The exploit code worked against versions of Adobe Reader 9.x, but not against Adobe Reader X versions above 10.0. Although versions below 10.1.1 may be vulnerable according to the advisory, the exploit code used in this attack created an infinite recursive loop with versions greater than 10.0.
Adobe expects to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011.
For further information, please also read Adobe Reader Zero-day being exploited in the wild (Symantec Connect Blog).
The latest November 2011 Symantec Intelligence report (PDF) also includes additional information on targeted attacks and advanced persistent threats (APTs).