We keep seeing new waves of PDF file-based attacks that exploit the Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) that exists in certain unpatched versions of a popular PDF reading application. All these attacks were stopped by Symantec’s Skeptic™ technology.
- Determines the current version of the PDF reading application and constructs the correct exploited TIFF file and shellcode.
- Sprays the shellcode into memory.
- Assigns the exploited TIFF image to the "rawValue" of the pre-defined form element to trigger the vulnerability when the image gets displayed.
It is interesting to note that the version of the PDF reading application being exploited will be converted to a huge integer and compared to a certain threshold which represents one of the application versions. This is probably designed by the malware writer to confuse malware analysts and/or antivirus (AV) scanners. In this instance, we also notice that the generated TIFF images and shellcode remain the same regardless of the PDF reading application version.
A portion of the extracted hexadecimal encoded shellcode is shown in figure 3.
Figure 3:Portion of the extracted hexadecimal encoded shellcode
When examining it further, it shows that there is a URL at the end of the file (figure 4).
Figure 4: Malicious executable file link in shellcode
It clearly shows that a malicious executable file will be downloaded once the shellcode gets executed successfully. Unfortunately, the malicious file link only existed for a very short time and we have been unable to retrieve the actual executable sample as yet.
Symantec.Cloud has protected our customers from all such attacks. Our analysis reveals that Skeptic™ has successfully blocked over ten thousand PDF files with such exploits in the past two weeks (figure 5). It clearly shows that the attacks were carried out in several main waves spread over the period detailed in the figure. The most aggressive attack was launched on the 16th of February, which saw over 3,000 hits in one run, followed by the attack stopped on the 6th of the same month.
Figure 5: PDF attacks through emails stopped by Symantec.Cloud over a period of two weeks