PDF Malware Protected by AES-256

Adobe Systems released a security update for Adobe Acrobat and Reader 9.x for Windows on December 16, 2011, in order to fix a zero-day vulnerability. As Vikram Thakur reported recently, there have been zero-day attacks using this PDF vulnerability, dropping Backdoor.Sykipot on to the compromised computer.

We have found another variant of PDF malware in the wild using the same vulnerability. This version of PDF malware uses an encryption method that is found natively in the PDF specifications. As I wrote in my Portable Document Format Malware whitepaper, the encryption method used by PDF malware has changed from RC4 to AES. The AES specifies the encryption key has 128 bits in length. However, this variant adopts AES-256 as the encryption method, with a key length of 256 bits. The specification for the encryption method using AES-256 in a PDF is described as an extension of the ISO32000 version of PDF specification. It is able to download the PDF extension document file from the Adobe website. The algorithm used to create an encryption key in a PDF document was altered from those in RC4 and AES. In addition, new keywords are available through the extension.

The image below shows the object that stored parameters to decrypt the document. "/AESV3" specifies that the content of the strings and streams are encrypted with the AES-256 algorithm in the PDF document.

The "/U" option holds a string, based on the user password. It is used when the content of the document is encrypted by using RC4, AES, or AES-256, but its size expands from 32 bytes in length to 48 bytes when choosing AES-256 encryption. The "/U" string is 127 bytes in length in this sample. This is crafted in order to obfuscate the PDF parser within antivirus scanners because of the way the PDF spec can be interpreted. AES-256 uses the first 48 bytes and the rest of the string, 79 bytes in length and filled in with 0s, is ignored.

This malware used the Adobe Acrobat and Reader U3D Memory Corruption Vulnerability (BID 50922) vulnerability. This vulnerability affects U3D type data and the PDF documents have the data as a stream, as shown in the following image.

This U3D object has another option: "/Filter/FlateDecode", which specifies that the stream data is compressed using the DEFLATE compressed data format. Therefore we have to decrypt the AES-256 encrypted data, and then decompress it, in order to investigate the U3D data.

Symantec products detect these samples as Bloodhound.Exploit.439. PDF malware that leverage old vulnerabilities, but with AES-256 encryption, are also detected. Please be sure to keep your virus definitions up-to-date. Users of Adobe Reader and Acrobat version 9.x for Windows should also upgrade to the newest version as soon as possible. Additionally, Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting this vulnerability from executing.