For the last two weeks we have noticed a significant increase of PDF exploit attacks spreading as email attachments posing as fake invoice papers. However, exploring the PDF file has shown that the exploit used in this case is two years old and classified as CVE-2010-0188.
Why would anyone use such an old exploit? Well, we can find the answer to this by looking into which programs the exploit is targeting:
- Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
- Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh
There are still a lot of people using these old versions, giving attackers an opportunity to catch users unaware. Last but not least, such an old exploit kit will cost almost nothing in comparison with zero day exploits.
The exploit itself is encoded in “Keyword” parameter and is decoded using simple a “parseInt” function with unusual 0x1D (29) numeral system:
Shellcode is stored in the document’s “CreationDate” parameter as a pure hexadecimal string. Converting this string to binary form will allow us to analyze the shellcode directly skipping the exploit part. The shellcode first determines the image base address of the NTDLL.DLL library via PEB_LDR_DATA structure and then searches for a specific code: 0C330408Bh
This code was used in the algorithm to calculate various functions (LoadLibrary, WinExec, TerminateThread, GetTempPath and VirtualProtect, URLDownloadToFile) from system libraries:
When necessary addresses of functions are retrieved from the KERNEL32.DLL system library (image base address is also retrieved from PEB_LDR_DATA), the address is again obtained from PEB, and tries to download and execute malicious files from a URL specified at the end of shellcode:
These URLs may vary for different PDF samples using the same exploit and shellcode. The downloaded malicious executable file is a stealer-type of application that tries to steal sensitive data such as email logins and internet banking information.
This malware is detected by AVG as a variant of Trojan horse Zbot or Trojan horse PSW.Generic.
What do we take from this? The latest versions of these applications are not affected by this exploit so it’s very important to keep your system and software updated. Important programs such as Adobe Reader, Acrobat, Flash Player, Java and all major browsers have an auto-update feature which makes keeping them up to date very simple.
This hash of the malicious PDF document is 1A95282CEFBD8314FC2CCD2CA42F2A15 and is detected by AVG as Trojan horse Exploit_c.VRA. Downloaded files are detected as Trojan horse Cryptic.
blog by AVG Viruslab Research Group