New Adobe PDF Zero-day Unleashes Trojan.Swaylib

In a previous blog, Symantec reported on a new Adobe zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.1) and earlier versions, that was being actively exploited in the wild. Adobe has yet to release a patch for this zero-day, but in an advisory they have provided a means of mitigation against the attack. 

The initial report on this zero-day being actively used in the wild came from FireEye. They reported that several files were being dropped and downloaded as a result of a successful exploit. Our research can confirm these findings.

Figure 1. Attack using CVE-2013-0640

The steps in the attack, shown in Figure 1, are as follows:

  1. A malicious PDF file drops a DLL file called D.T
  2. D.T decrypts and drops a DLL file called L2P.T
  3. L2P.T creates run keys and then drops and opens a clean PDF file. It also drops downloader component LangBar32.dll
  4. LangBar32.dll contacts a malicious server and downloads additional malware with back door and key logging capabilities

Symantec has antivirus detections in place for the stages of this attack as Trojan.Pidief and Trojan.Swaylib (initially detected as Trojan Horse). The intrusion prevention signature (IPS) Web Attack: Malicious PDF File Download 5 has also been released to detect usage of this specific Adobe exploit in further attacks.

Additional research has shown that the PDF used in this attack would have been caught by our Symantec Mail Security for Microsoft Exchange product and the dropped files used in this attack would have been detected as WS.Malware.2 by Symantec’s cloud based detection technology.

Symantec is currently investigating further protections for this zero-day and will provide an update to this blog when possible. To protect against potential zero-day threats, Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protection is in place.