Adobe has released a new version of Adobe Reader on October 5th. It includes the patched module for the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID: 43057). As Karthik Selvaraj wrote in a previous blog, this vulnerability is already being exploited by malware, which is being detected as Bloodhound.Exploit.357. The total number of detected files is over ten thousand in the past a week.
The Flash files are used as a heap spray to execute viral code. In addition, the heap spray is a JIT spray. This Flash file contains AVM code as looking like a clean file at a glance. The decompiled AVM code is as follows:
0x3c909090 ^ 0x3c909090 ^0x3c909090 ^ …. ^ 0x3c90e7ff ^ 0x3ccccccc
It just calculates double word values with XOR but the code that is transformed by JIT leads to the next malicious shell code.
A more advanced technique is to use a PDF file embedded in a PDF file. The third object contains a stream indicating “application/pdf” as a sub-byte. With “FlateDecode”, this PDF file is compressed by using Zlib/deflates. To identify the PDF exploiting this vulnerability, it should be inflated and parsed by the PDF parser again.
The PDF embedded in a PDF file is always the same one and it is just used to trigger the vulnerability. We detect PDF malware using this technique as Bloodhound.Exploit.357 as well.
I will be speaking at the AVAR 2010 conference in Bali that will be held from November 17 - 19, 2010, and will discuss widely-used and more technically-basic malware than I have discribed in this blog.